June 24, 2019

June 24, 2019

Subscribe to Latest Legal News and Analysis

US-CERT Issues Advisory About Vulnerabilities in Patient Monitors

The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Team (US-CERT) recently issued an advisory outlining three vulnerabilities of Drager Infinity Delta patient monitoring devices.

The vulnerabilities affect all versions of the Drager models—Delta, Delta XL, Kappa, and infinity Explorer C700—patient monitoring devices. According to the alert, the three security flaws include:

  • Exposure of Information in Log Files—the log files are not secured and can be accessed over an unauthenticated network, which allows an attacker to gain access to the log files and view the sensitive information contained in the logs, including the location of the device, the internal information of the monitor and its network configuration
  • Improper Input Validation—a flaw in the manner in which input is validated can be exploited to cause the monitor to reboot constantly until it reverts to the default configuration causing network connectivity to be lost
  • Privilege Escalation Through Improper Privilege Management—this vulnerability allows the attacker to gain access to the operating system and take full control of it.

Drager issued patches for the vulnerabilities in December 2018. According to the alert, users should update the devices to the newest version which is accessible through Drager ServiceConnect, review their network segmentation configuration to affirm that devices are separated from the hospital LAN system and confirm the Windows patch level on the Infinity Explorer is up to date.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...