Diagnostic handheld medical devices are normally used by patients for monitoring their health conditions. There are a wide range of medical diagnostic devices produced by Roche for checking the blood glucose levels, blood pressure, etc. But it was recently found that there are multiple flaws in these devices. The ICS-CERT warns patients and the healthcare industry to be cautious while using these diagnostic point-of-care devices.
Vulnerabilities Found in Roche POC Handheld Medical Devices
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released an advisory according to which the Roche Point of Care handheld medical devices shows some major security vulnerabilities. On successful exploitation of these vulnerabilities an attacker could gain unauthorized access to modify system settings or execute arbitrary code.
It has been reported that around five different vulnerabilities have affected Roche POC handheld medical devices. The vulnerabilities present
- Improper authentication (CVE-2018-18561)
- OS command injection (CVE-2018-18562)
- Unrestricted upload of file with dangerous type (CVE-2018-18563)
- Improper access control (CVE-2018-18564 and CVE-2018-18565).
These vulnerabilities have been given medium to high severity ratings.
The affected Roche devices include Accu-Chek Inform II, CoaguChek Pro II/XS Plus/XS Pro, cobas h 232 POC and the related base units (BU), base unit hubs and handheld base units (HBU). All vulnerabilities do not affect all devices but each of these affected devices may show one or more of these vulnerabilities. However, no public exploits have been done so far.
Recommendations for Mitigation
The vulnerabilities were found by a researcher at medical device security firm Medigate, Niv Yehezkel. He had reported this issue to Roche and as of now no software fixes are available by the vendors. But Roche has recommended some strategies to mitigate the flaws. They are
- Limiting access to the devices and enabling device security features
- Ensure adequate protection of connected endpoints against unauthorized or malicious software
- Protection of non-connected devices from unauthorized access
- Vigilant monitoring of system and network infrastructure
- Prompt reporting of a “suspected compromise” to the authorities
The National Cybersecurity and Communications Integration Center’s (NCCIC) advises users to limit internet access to the devices and systems to avoid network exposure. It is also suggested to use firewalls to secure remote devices and local system networks.