NCCIC recommends that users minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet after a vulnerability discovered in Medtronic’s N’Vision.
Whether it be to protect yourself from malware or to ensure that your private information is safe, having a secure place to store and share your data can definitely provide peace of mind.
At SkyFlok we do not compromise the privacy and security of your files or your customer’s data. We use innovative cloud storage technology to spread your data across multiple providers and locations to make sure it remains encrypted and private.
We provide you with a backup plan and give you easy access to your files in case of file corruption, internal or external attacks on your data.
The handheld 8840 N’Vision clinical programmer is used to program Medtronic neuromodulation devices.
The vulnerability was discovered by Billy Rios of Whitescope, who reported it to the National Cybersecurity and Communications Integration Center (NCCIC).
Medtronic said it is not developing a product update to address the vulnerability because physical access to the programmer and card is needed to exploit the vulnerability and because these devices are only intended for healthcare practitioners.
Instead, Medtronic is advising hospitals and clinicians to:
• Maintain strict physical control of the application card
• Use only 8870 application cards and not cards provided by any third party as firmware and system updates are provided directly by Medtronic using new 8870 application cards
• Return application cards to Medtronic when no longer in use or dispose of cards properly
“The application card stores PHI and PII as part of its normal operating procedure and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy,” said Medtronic in its security bulletin.
NCCIC recommends that users minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet, as well as locate control system networks behind firewalls and isolate them from the business network.
Separately, ICS-CERT issued an advisory on a vulnerability in BD Kiestra and InoquIA+ microbiology laboratory automation equipment that could result in loss or corruption of data.
A vulnerability in DB Manager and PerformA allows an authorized user with access to a privileged account on a BD Kiestra system to issue SQL commands, which may result in data corruption, the ICS-CERT advisory explained.
BD intends to remove the functionality to trigger SQL functions in DB Manager, PerformA, and ReadA by July 2018.
Until mitigations are in place, BD recommends the following compensating controls:
DB Manager: When configuring new programs through the ‘Configuring Programs’ function in DB Manager, users are advised not to re-use current programs through the export-import function, but to set up a new program or use the predefined program templates.
Users should ensure that only authorized and qualified personnel, such as lab managers and supervisors, have access control rights to all functions in the DB Manager. This can be configured through the ‘Users’ function in DB Manager. For details about setting the appropriate user access control in DB Manager, consult the respective device manual.
ReadA Overview: Users are advised to set the ‘Users’ function for all users to ‘none’ for access to ReadA Overview, if the application is not used or not commonly used. This can be configured through the ‘Users’ function in DB Manager. If use of ReadA Overview is necessary, users are advised to ensure only authorized and qualified personnel, such as lab managers and/or lab supervisors, have access control rights to all functions in ReadA Overview. This can be configured through the ‘Users’ function in DB Manager. For details about setting the appropriate user access control in DB Manager, consult the respective device manual.
PerformA: Users are advised to ensure access to BD Kiestra servers are closely monitored while continuing to implement best security practices to effectively prevent unauthorized access to BD Kiestra Systems.
“This vulnerability has been assessed for patient safety by BD and represents a controlled risk with low probability of harm to the patient directly,” BD said in its security bulletin.
“If this particular functionality were to be exposed due to misuse or malicious abuse, this could lead to a loss of data or corruption of data. This could potentially cause a delay in test results being reported to the clinician, which could lead to a delay in diagnosis and/or treatment,” BD added.