Cybersecurity vulnerabilities in remote connectivity software used in service offerings by several medical imaging and radiation therapy firms could allow attackers to take control of connected systems, according to alerts issued by U.S. government agencies.
Seven specific vulnerabilities have been identified in PTC's Axeda agent and Axeda Desktop Server, which enable users to view and operate the same remote desktop, according to separate alerts from the U.S. Food and Drug Administration (FDA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). These web-based technologies are utilized by Accuray, Bayer, Elekta, GE Healthcare, and Varian.
"Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition," the FDA wrote in its alert. "Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality."
In a customer security notification, Accuray said that the issue affects all of its products that contain Axeda software, including all TomoTherapy, Radixact, CyberKnife, iDMS, and Precision systems. However, no actual exploitation of these vulnerabilities has been reported to the company as of March 4, according to Accuray.
The firm is incorporating and testing the latest version of the remote access agent that will resolve these issues and will deploy the new version once testing is complete.
In the meantime, Accuray is recommending that customers employ prudent security practices to minimize the risk potential, including the following:
- Ensure that components of Accuray systems are behind the system firewall.
- Ensure that a set of firewall rules or an access control list is configured and monitored to allow inbound and outbound traffic only as required for the product.
- Ensure that only secure/sanitized USB storage devices are utilized.
- Ensure data has been backed up and stored according to your institution's policy.
- Ensure disaster recovery procedures are in place.
Bayer said in an information technology advisory that the vulnerability affects its Intego PET Infusion System (Windows 10 only), Stellant CT injection system with Certegra workstation, Stellant Flex CT injection system, MRXperion MR injection system, Digital Solutions Platform, Radimetrics dose management software, and VirtualCare Remote Module.
If connected to a VirtualCare module, other systems may be impacted, including the Mark 7 Arterion injection system; Avanta fluid management injection system; Spectris Solaris EP MR injection system; and Intego PET infusion system (Catalog number: INT SYS 200) - Windows 7.
The company said in the advisory that it's urgently working to minimize any potential impact to customers and has employed a patch to all of its devices connected to VirtualCare remote support.
"Injectors that have received this patch are no longer at risk for the vulnerability," the vendor said.
Bayer is also in the final stages of implementing a software update for devices not currently connected via VirtualCare. Once available, this update will be deployed during customers' next service visit, according to the firm.
Elekta, which leverages Axeda software components in its IntelliMax platform to provide remote support capabilities, has informed its customers about the vulnerabilities found in the Axeda software, according to the company.
However, “Elekta/PTC has no indication nor has been made aware that any of these vulnerabilities have been or are being exploited,” an Elekta spokesperson told AuntMinnie.com.
After performing impact and risk assessments, GE said it has determined that "only a very limited number" of its products are potentially impacted by a subset of the vulnerabilities. It will provide further information and updates on its Product Security Portal.
Varian uses the PTC software as part of its SmartConnect remote support and installation service. In a cybersecurity advisory, Varian said that its cybersecurity experts are analyzing and addressing potential impact to its products.
"When appropriate, Varian provides updates to fix the vulnerability, or specific countermeasures for products where fixes are not yet available," Varian said.
It has also posted two articles on the vulnerability in its MyVarian customer portal.