Code Execution Vulnerability Found in Cardiology Devices of Change Healthcare

Devices of Change Healthcare Cardiology, Horizon Cardiology and McKesson Cardiology were found to have a vulnerability, which a locally authenticated user could exploit to add files that can enable the attacker to implement arbitrary code on a device.

Asante Information Security’s Alfonso Powers and Bradley Shubin identified vulnerability CVE-2019-18630 and reported it to Change Healthcare. The company informed the National Cybersecurity & Communications Integration Center (NCCIC) regarding the vulnerability. US-CERT already issued a security advisory regarding this.

The vulnerability has a designated CVSS v3 base score of 7.8 and is due to wrong default permissions input in the default set up. Although an attacker with low-level skills can exploit the vulnerability, an attacker must have local system access first, thus limiting the possibility of exploting the vulnerability.

Change Healthcare has provided a recommendation for users who have the cardiology devices listed below:

  • McKesson Cardiology 13.x
  • McKesson Cardiology 14. x
  • Horizon Cardiology 11.x and prior versions
  • Horizon Cardiology 12.x
  • Change Healthcare Cardiology 14.1.x

Change Healthcare has created a patch to fix the vulnerability. Users who have a device included in the list above must get in touch with their Change Healthcare Support agent to have the patch installed.

The following lists the mitigations recommended by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to lessen the possibilities of attackers exploiting the vulnerability until the patch is applied:

  • Reduce exposing control system devices and/or systems to the network
  • Protect medical devices with firewalls
  • Deactivate unnecessary accounts, services, and protocols
  • Separate medical devices to as far as possible
  • Put safeguards that limit medical device access to authorized people
  • Use defense-in-depth techniques
  • Systems access must be controlled by the principle of least privilege

Before applying any mitigations, it is good for healthcare providers to perform an impact risk analysis and evaluation.