Here are the security flaws found in critical hospital infrastructure around the world.

Here are the security flaws found in critical hospital infrastructure around the world.(Photo by Yasuyoshi CHIBA / AFP)

Critical security flaws found in hospital infrastructures around the world

  • There were nine critical vulnerabilities detected in the pneumatic tube system (PTS) used by 80% of hospitals in North America and 3,000 hospitals worldwide.
  • The vulnerabilities put them at heightened risk of ransomware attacks.  

More than 3,000 hospitals worldwide including 80% of medical centers in North America are exposed to nine different critical vulnerabilities, placing them at a heightened risk of ransomware attacks. Swisslog’s Translogic Pneumatic Tube System (PTS) or commonly known as Air Tube System, is a solution that plays a crucial role in patient care and was found vulnerable to devastating attacks — risking the security of a hospital and its patients.

The findings on Swisslog–an industry leader for medication management solutions — were discovered by researchers from security platform Armis. The Translogic PTS was exploited in the Nexus Control Panel which powers all models of Translogic PTS stations. The system is a key component of patient care and is responsible for transporting blood products, medications, and other materials through a network involving pneumatic tubes.

How is hospital security jeopardized?

By exploiting these nine vulnerabilities, collectively known as PwnedPiper, attackers could take control of PTS stations and gain complete control over a target hospital’s tube network. This would allow them to launch ransomware campaigns by deliberately disrupting a hospital’s workflow or even stopping the system operation.

Since the network-connected PTS integrates with other hospital systems, a breach could also allow the information shared between these systems to be leaked or manipulated by an attacker. All of the vulnerabilities, which include four memory corruption bugs and a faulty GUI socket (GUI), as well as hardcoded passwords, can be triggered simply by sending unauthenticated packets over the network without any user interaction.

The most serious vulnerability according to Armis is that firmware updates on the Nexus Control Panel can be initiated unencrypted and unauthenticated. This allows an attacker to execute remote code while maintaining persistence on the device. Armis VP of research Ben Seri said  “Armis disclosed the vulnerabilities to Swisslog on 1 May 2021, and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers.” 

Given that so many hospitals are reliant on this technology, Seri said his team has worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments where lives are on the line. In a statement regarding the vulnerability discovery, Swisslog stated that it immediately began working with Armis to provide short-term mitigation as well as long-term solutions.

What are the steps being taken to address the vulnerabilities? 

Armis reckons that current security measures, including traditional endpoint protection and network security solutions, are simply not designed to protect this infrastructure or identify these types of attacks. Instead, Armis in a blog posting said it would start by searching for and identifying the various components of the Swisslog system, providing complete visibility to the PTS elements.

“The discovered vulnerabilities will then appear as CVEs in the Armis console and all the affected devices will be matched with the CVEs. Policies that detect exploit attempts of the CVEs can be created, alerting security personnel so that remediation steps can be taken,” it added.

Armis also said while patching the vulnerable Translogic PTS stations is essential, external mitigations can also be useful for detection and preventing attacks on these systems. It recommended the use of mitigation steps outlined by Swisslog in their security advisory.