No Patches for Hospital Temperature Monitors’ Critical Flaws – Source: www.databreachtoday.com

Governance & Risk Management
,
Healthcare
,
Industry Specific

Researchers Say Manufacturer Proges Plus Hasn’t Responded to Vulnerability Findings

Prajeet Nair (@prajeetspeaks) •
June 27, 2024    

Vulnerabilities in internet-connected temperature monitoring devices mainly used in hospitals, and their accompanying desktop application, could allow hackers to gain administrator privileges to the technology.

See Also: Reducing Complexity in Healthcare IT (eBook)

Researchers at Nozomi Networks uncovered four vulnerabilities in Sensor Net Connect and three flaws in the Thermoscan IP desktop application, both made by a division of French firm Proges Plus.

The system is designed for environments such as hospitals where temperatures must remain exact and constant. One flaw, tracked as CVE-2024-31202, would allow a user with basic access to the Thermoscan IP application to create new accounts and assign them admin-level privileges. A real-world example of a user who might already have basic access to the desktop application includes maintenance contractors and third-party applications, Nozomi said in a Thursday blog post.

Researchers suggest attackers could use their access to exfiltrate sensitive data or compromise temperature monitoring integrity. In the United States, authorities have long warned that medical devices are potential avenues for hackers, given manufacturers’ tendency to not subject their products to security testing during development or post-sale.

Should vulnerabilities get discovered in devices, many remain unpatched, especially if used in smaller medical practices that lack full-time cybersecurity support. A 2022 warning from the FBI cited research finding that medical devices on average carry 6.2 vulnerabilities and that more than half of networked devices in hospitals have known, critical flaws.

A 2023 U.S. law requires manufacturers to hew to enhanced cybersecurity requirements when submitting new devices for federal approval, including by demonstrating a device’s ability to be updated and patched, as well as proving the efficacy of their security controls and testing regime (see: Exclusive: FDA Leader on Impact of New Medical Device Law).

Nozomi said it attempted to contact Proges Plus multiple times, directly and indirectly through the U.S. CERT Coordination Center but received no response. Information Security Media Group has requested comment from the company.

Given the lack of direct remediation, such as the vendor releasing patches or mitigation advice, Nozomi recommends segregating the temperature monitoring infrastructure by preventing regular clients from accessing the web configuration interface. The firm also suggests regularly monitoring logs and account activity to look for signs of suspicious or malicious activity.