25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

Posted By on Nov 8, 2018

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk.

Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code.

The vulnerabilities affect the following Roche Point of Care handheld medical devices.

  • Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later)
  • CoaguChek Pro II
  • CoaguChek XS Plus & XS Pro
  • Cobas h 232 POC
  • Including the related base units (BU), base unit hubs and handheld base units (HBU).

CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 04.03.00 (SN > 14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • cobas h 232 (Versions prior to 04.00.04 (SN > KQ0400000 or KS0400000))

CVE-2018-18565 is an improper access control vulnerability that would allow an individual that has access to an adjacent network to change the configuration of instrumentation. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.2.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 03.00 (SN >14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18562 concerns insecure permissions in a service interface that could allow unauthorized users in an adjacent network to execute arbitrary commands on operating systems. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub 9 (Versions prior to 03.01.04)
  • CoaguChek / cobas h232 Handheld Base Unit (Versions prior to 03.01.04)

CVE-2018-18563 affects the software update mechanism which could be exploited by an attacker in an adjacent network to overwrite arbitrary files on the system using a specially crafted update package. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0

The vulnerability is present in:

  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18561 is an improper authentication vulnerability involving the use of weak access credentials. An individual that has access to an adjacent network could gain service access to a vulnerable device through a service interface. The vulnerability is rated medium severity and has been assigned a CVSS v3 base score of 6.5.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub
  • CoaguChek / Cobas h232 Handheld Base Unit running 03.01.04 and earlier versions

All five vulnerabilities were identified by Niv Yehezkel of Medicate, who disclosed the vulnerabilities to Roche.

Mitigation procedures have been recommended by Roche to reduce the risk of the vulnerabilities being exploited. Software updates to address the vulnerabilities have been scheduled for release in November 2018.

Roche recommends:

  • Restricting network and physical access to the devices and their attached infrastructure through the activation of device security features
  • Protecting vulnerable devices from unauthorized access, theft, and malicious software
  • Monitoring network infrastructure and system activity for suspicious activity.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist