Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices
A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.
The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.
The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.
Change Healthcare has issued an advisory for users of the following cardiology devices:
Get The Checklist
Free and Immediate Download
HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
- Horizon Cardiology 11.x and earlier
- Horizon Cardiology 12.x
- McKesson Cardiology 13.x
- McKesson Cardiology 14. x
- Change Healthcare Cardiology 14.1.x
Change Healthcare has developed a patch to correct the vulnerability. All users of the above affected products have been advised to contact their Change Healthcare Support representative to arrange for the patch to be installed.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:
- Minimize network exposure for control system devices and/or systems.
- Locate medical devices behind firewalls
- Isolate medical devices as far as is possible
- Implement safeguards that restrict access to medical devices to authorized personnel
- Apply the principle of least privilege to access controls.
- Apply defense-in-depth strategies
- Disable unnecessary accounts, protocols and services.
Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.