Select Hillrom Electrocardiograph Products Impacted by Medical Device Vulnerabilities

June 20, 2022 - Two medical device vulnerabilities in select Hillrom electrocardiograph products may cause unauthorized access and security risks, a Cybersecurity and Infrastructure Security Agency (CISA) ICS advisory stated.

Hillrom has released software updates for all affected devices, and new product versions are in the works. No known exploits involving these vulnerabilities have been reported, but healthcare organizations using these devices should exercise caution and employ defensive measures.

The first vulnerability (CVE-2022-26388), which involves the use of hard-coded passwords, received a Common Vulnerability Scoring System (CVSS) score of 6.4. The second vulnerability (CVE-2022-26389), involving improper access control, received a CVSS score of 7.7

“Successful exploitation of these vulnerabilities could allow an attacker to compromise software security by executing commands, gaining privileges, reading sensitive information, evading detection, etc,” the advisory stated.

The following products may be affected by these vulnerabilities:

• Welch Allyn ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior
• Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior
• Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior
• Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: Versions 2.2.0 and prior

An anonymous user reported the vulnerabilities to Hillrom, CISA stated. The first vulnerability stems from hard-coded, or unchangeable, passwords used for inbound authentication and outbound communication contained in the impacted products. Hard-coded passwords could lead to authentication failures that are difficult to detect.

The improper access control vulnerability means that the software does not restrict access to a resource from an unauthorized actor, which could lead to compromised security.

Hillrom recommended that users apply physical and network security controls, use a unique encryption key for ELI Link and Cardiograph, and use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service.

CISA encouraged uders to take the following actions to mitigate risk of exploitation:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

Medical device security continues to be a pain point for the healthcare sector. Legislators have introduced multiple bills that target medical device security in recent months. Most recently, two US Senators introduced the Strengthening Cybersecurity for Medical Devices Act, which called on the US Food and Drug Administration (FDA) to review and update its medical device security guidelines every two years.