The Department of Homeland Security (DHS) says that some of the Siemens medical imaging devices that run Windows 7 software are vulnerable to cyberattack. If hacked, these specific Siemens devices allow for the ability to "remotely execute arbitrary code," DHS says.

The alert from DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says Germany-based Siemens identified four vulnerabilities in the medical imaging products and is preparing patches.

"These vulnerabilities could be exploited remotely," DHS points out. "Exploits that target these vulnerabilities are known to be publicly available. Successful exploitation of these vulnerabilities may allow the attacker to remotely execute arbitrary code. Impact to individual organizations depends on many factors that are unique to each organization."

Siemens says the vulnerabilities affect all Windows 7-based versions of the following imaging products:

  • Siemens PET/CT Systems
  • Siemens SPECT/CT Systems
  • Siemens SPECT Systems
  • Siemens SPECT Workplaces/Symbia.net

Siemens alerted its customers to the vulnerability, posting on its website July 26 that it is preparing updates for the affected products and "recommends protecting network access to the molecular imaging products with appropriate mechanisms." Siemens also suggests that users run the affected devices on a "dedicated network segment and protected IT environment" to help avoid overt attack while the system is being repaired.

If the devices can't be patched in a secure environment, users should take the following action, per the company: "If patient safety and treatment is not at risk, disconnect the product from the network and use in standalone mode. Reconnect the product only after the patch is installed on the system."

Siemens also pointed out that it can patch systems remotely more quickly than if it must send a technician to the health system's site.

The company told customers to ensure appropriate backups and system restoration procedures are in place. Information Security Media Group reports that appropriate updates will be available this month, but offered no further specifics, and a spokesperson said that the likelihood of patient information will be compromised is small.

"The exploitability of the vulnerabilities depends on the actual configuration and deployment environment of each product," Siemens posted. "Siemens is working on updates for affected products and recommends specific countermeasures until fixes are available."

Health IT Security notes that the timing of the Siemens announcement could not be more ironic, or timely. Sen. Richard Blumenthal (D-Conn.) recently introduced the Medical Device Cybersecurity Act of 2017 "to better protect sensitive patient information and to create stronger cybersecurity protections for connected devices."

"The security of medical devices is in critical condition," Blumenthal said in a statement. "My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans' health and confidential personal information at risk."

The bill is meant to increase remote access protections for medical devices in and outside of the hospital, and will ensure that needed cybersecurity updates do not require FDA certification, the news site said. It aims to "provide guidance and recommendations for end-of-life devices and to expand ICS-CERT responsibilities to include the cybersecurity of medical devices."

CHIME supports the bill, a major endorsement from a major healthcare lobbying group.

As for Siemens, the news of its vulnerability is likely nothing more than bad PR, but for the moment the company's technology is being scapegoated.