HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices

A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.

The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.

The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.

Change Healthcare has issued an advisory for users of the following cardiology devices:

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Horizon Cardiology 11.x and earlier
  • Horizon Cardiology 12.x
  • McKesson Cardiology 13.x
  • McKesson Cardiology 14. x
  • Change Healthcare Cardiology 14.1.x

Change Healthcare has developed a patch to correct the vulnerability. All users of the above affected products have been advised to contact their Change Healthcare Support representative to arrange for the patch to be installed.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:

  • Minimize network exposure for control system devices and/or systems.
  • Locate medical devices behind firewalls
  • Isolate medical devices as far as is possible
  • Implement safeguards that restrict access to medical devices to authorized personnel
  • Apply the principle of least privilege to access controls.
  • Apply defense-in-depth strategies
  • Disable unnecessary accounts, protocols and services.

Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.