1,400+ vulnerabilities found in automated medical supply system

Security researchers have discovered 1,418 vulnerabilities in CareFusion’s Pyxis SupplyStation system – automated cabinets used to dispense medical supplies – that are still being used in the healthcare and public health sectors in the US and around the world.

medical supply system

The vulnerabilities can be exploited remotely by attackers with low skills, and exploits that target these vulnerabilities are publicly available, ICS-CERT has warned in an advisory.

The worst part of it is that the affected versions of the software are at end‑of-life, and won’t be receiving a patch even though they are widely used.

What is the Pyxis SupplyStation system?

Developed by CareFusion, which was recently acquired by Becton, Dickinson and Company (BD), the Pyxis SupplyStation system dispenses medical supplies and documents usage in real-time.

“The Pyxis SupplyStation systems include automated devices that may be deployed using a variety of functional configurations. [They] have an architecture that typically includes a network of units, or workstations, located in various patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility’s existing information systems,” ICS-CERT explained.

“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system. The SupplyStation system is designed to maintain critical functionality and provide access to supplies in ‘fail-safe mode’ in the event that the cabinet is rendered inoperable. Manual keys can be used to access the cabinet if it is rendered inoperable.”

Which versions are vulnerable?

Versions 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3 that operate on Windows Server 2003/XP of the Pyxis SupplyStation system software are affected. Versions 9.3, 9.4, and 10.0 that operate on Server 2008/Server 2012/Windows 7 do not sport these vulnerabilities.

The discovery

Independent researchers Billy Rios and Mike Ahmadi obtained a Pyxis SupplyStation through a third-party that resells decommissioned systems from healthcare systems, and used an automated software analysis tool to ferret out the vulnerabilities.

The flaws are present in seven different third-party vendor software packages bundled in the vulnerable system, including MS Windows XP, Symantec Antivirus 9, and Symantec pcAnywhere 10.5.

715 of the found vulnerabilities are critical or high-severity.

What’s to be done about it?

CareFusion has been involved in the research, and has confirmed the existence of these flaws. Still, no updates will be offered for these end-of-life systems.

Instead, the company has started contacting customers that bought the automated supply cabinets, advising them to upgrade to newer versions and explaining how to do it.

But, aware that’s not always possible, the company has also issued recommendations on how to minimize the risk of those systems being compromised – things like monitoring network traffic attempting to reach the affected products for suspicious activity, and isolating them from the business network, untrusted systems and the Internet, but also updating the software packages included in the system software (where possible).

More recommendations can be had from the ICS-CERT advisory.

Healthcare and security

It’s true that cyber attackers are mostly after healthcare data, as it usually contains the perfect bundle of individuals’ personal information, credit information, and protected health information.

It’s also true that healthcare organizations need a healthy dose of investment in technologies in order to prevent successful attacks.

It’s understandable that healthcare organizations are currently more concentrated on fending off ransomware, as that will impact their functioning at all levels.

But with more and more researchers concentrating on finding vulnerabilities in medical devices and systems (systems found exposed online, sporting hard-coded passwords, etc.), it’s becoming obvious that cyber attacks can – and inevitably some day will – result in physical harm.

The healthcare industry – from manufacturers to practitioners – must start considering system and data security important.