HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Multiple Vulnerabilities Identified in Contec Health Vital Signs Patient Monitors

Five vulnerabilities have been identified in Contec Health’s CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor. Successful exploitation of the vulnerabilities could allow a threat actor to conduct a denial-of-service attack, access a root shell, make configuration changes, modify firmware, and cause the monitor to display incorrect information.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory about the vulnerabilities but said Contec Health did not respond to its requests, so healthcare providers that use the affected monitors should contact Contec Health directly for information on how to mitigate the vulnerabilities.

The most serious vulnerability – CVE-2022-38100 – has a CVSS v3 severity score of 7.5 and can be exploited remotely by a threat actor with access to the network. Successful exploitation of the vulnerability would cause the device to fail. The flaw can be exploited by sending malformed network data to the device via a specially formatted UDP request. The device would crash and require a reboot. The attack could be conducted simultaneously on all vulnerable devices connected to the network in a mass denial-of-service attack.

The device has improper access controls that can be exploited, albeit by a threat actor with physical access to the device. A USB device could be plugged in and malicious firmware could be uploaded to permanently change the functionality of the device. No authentication is required to perform the firmware upgrade. The flaw is tracked as CVE-2022-36385 and has a CVSS severity score of 6.8.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The device does not correctly sanitize the SSID name of a new Wi-Fi access point – CVE-2022-3027. If an SSID with a malicious name is created, such as one with non-standard characters, when the device attempts to connect to the Wi-Fi access point, the flaw could be exploited to write files to the device and cause the device to display incorrect information. The flaw has been assigned a CVSS severity score of 5.7.

The device has hard-coded credentials, which would allow a threat actor with physical access to the device to gain privileged access and steal patient information and change the device parameters. The flaw is tracked as CVE-2022-38069 and has a CVSS severity score of 4.3. Active debug code has not been stripped out – CVE-2022-38453 – which makes it easier for a threat actor to reverse engineer sensitive code and identify additional vulnerabilities.

The following steps are recommended to reduce the risk of exploitation of the vulnerabilities:

  • Disabling UART functionality at the CPU level
  • Enforcing unique device authentication before granting access to the terminal / bootloader
  • Where possible, enforcing secure boot.
  • Tamper stickers on the device casing to indicate when a device has been opened

Users should also restrict access to the devices, minimize network exposure, locate the devices behind firewalls, and use a secure method to connect to the device if remote access is required, such as a VPN.

The vulnerabilities were discovered by researchers at Level Nine.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.