Code Execution Vulnerability Found in Cardiology Devices of Change Healthcare

by

Devices of Change Healthcare Cardiology, Horizon Cardiology and McKesson Cardiology were found to have a vulnerability, which a locally authenticated user could exploit to add files that can enable the attacker to implement arbitrary code on a device.

Asante Information Security’s Alfonso Powers and Bradley Shubin identified vulnerability CVE-2019-18630 and reported it to Change Healthcare. The company informed the National Cybersecurity & Communications Integration Center (NCCIC) regarding the vulnerability. US-CERT already issued a security advisory regarding this.

The vulnerability has a designated CVSS v3 base score of 7.8 and is due to wrong default permissions input in the default set up. Although an attacker with low-level skills can exploit the vulnerability, an attacker must have local system access first, thus limiting the possibility of exploting the vulnerability.

Change Healthcare has provided a recommendation for users who have the cardiology devices listed below:

  • McKesson Cardiology 13.x
  • McKesson Cardiology 14. x
  • Horizon Cardiology 11.x and prior versions
  • Horizon Cardiology 12.x
  • Change Healthcare Cardiology 14.1.x

Change Healthcare has created a patch to fix the vulnerability. Users who have a device included in the list above must get in touch with their Change Healthcare Support agent to have the patch installed.

The following lists the mitigations recommended by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to lessen the possibilities of attackers exploiting the vulnerability until the patch is applied:

  • Reduce exposing control system devices and/or systems to the network
  • Protect medical devices with firewalls
  • Deactivate unnecessary accounts, services, and protocols
  • Separate medical devices to as far as possible
  • Put safeguards that limit medical device access to authorized people
  • Use defense-in-depth techniques
  • Systems access must be controlled by the principle of least privilege

Before applying any mitigations, it is good for healthcare providers to perform an impact risk analysis and evaluation.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]