Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices

Share this article on:

A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.

The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.

The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.

Change Healthcare has issued an advisory for users of the following cardiology devices:

  • Horizon Cardiology 11.x and earlier
  • Horizon Cardiology 12.x
  • McKesson Cardiology 13.x
  • McKesson Cardiology 14. x
  • Change Healthcare Cardiology 14.1.x

Change Healthcare has developed a patch to correct the vulnerability. All users of the above affected products have been advised to contact their Change Healthcare Support representative to arrange for the patch to be installed.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:

  • Minimize network exposure for control system devices and/or systems.
  • Locate medical devices behind firewalls
  • Isolate medical devices as far as is possible
  • Implement safeguards that restrict access to medical devices to authorized personnel
  • Apply the principle of least privilege to access controls.
  • Apply defense-in-depth strategies
  • Disable unnecessary accounts, protocols and services.

Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On