Cybersecurity vulnerability ensnares imaging, radiation therapy firms

Erik L. Ridley
Mar 9, 2022
2019 03 26 18 32 2300 Computer Hacker Security 400

Cybersecurity vulnerabilities in remote connectivity software used in service offerings by several medical imaging and radiation therapy firms could allow attackers to take control of connected systems, according to alerts issued by U.S. government agencies.

Seven specific vulnerabilities have been identified in PTC's Axeda agent and Axeda Desktop Server, which enable users to view and operate the same remote desktop, according to separate alerts from the U.S. Food and Drug Administration (FDA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). These web-based technologies are utilized by Accuray, Bayer, Elekta, GE Healthcare, and Varian.

"Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition," the FDA wrote in its alert. "Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality."

Accuray

In a customer security notification, Accuray said that the issue affects all of its products that contain Axeda software, including all TomoTherapy, Radixact, CyberKnife, iDMS, and Precision systems. However, no actual exploitation of these vulnerabilities has been reported to the company as of March 4, according to Accuray.

The firm is incorporating and testing the latest version of the remote access agent that will resolve these issues and will deploy the new version once testing is complete.

In the meantime, Accuray is recommending that customers employ prudent security practices to minimize the risk potential, including the following:

  • Ensure that components of Accuray systems are behind the system firewall.
  • Ensure that a set of firewall rules or an access control list is configured and monitored to allow inbound and outbound traffic only as required for the product.
  • Ensure that only secure/sanitized USB storage devices are utilized.
  • Ensure data has been backed up and stored according to your institution's policy.
  • Ensure disaster recovery procedures are in place.

Bayer

Bayer said in an information technology advisory that the vulnerability affects its Intego PET Infusion System (Windows 10 only), Stellant CT injection system with Certegra workstation, Stellant Flex CT injection system, MRXperion MR injection system, Digital Solutions Platform, Radimetrics dose management software, and VirtualCare Remote Module.

If connected to a VirtualCare module, other systems may be impacted, including the Mark 7 Arterion injection system; Avanta fluid management injection system; Spectris Solaris EP MR injection system; and Intego PET infusion system (Catalog number: INT SYS 200) - Windows 7.

The company said in the advisory that it's urgently working to minimize any potential impact to customers and has employed a patch to all of its devices connected to VirtualCare remote support.

"Injectors that have received this patch are no longer at risk for the vulnerability," the vendor said.

Bayer is also in the final stages of implementing a software update for devices not currently connected via VirtualCare. Once available, this update will be deployed during customers' next service visit, according to the firm.

Elekta

Elekta, which leverages Axeda software components in its IntelliMax platform to provide remote support capabilities, has informed its customers about the vulnerabilities found in the Axeda software, according to the company.

However, “Elekta/PTC has no indication nor has been made aware that any of these vulnerabilities have been or are being exploited,” an Elekta spokesperson told AuntMinnie.com.

GE

After performing impact and risk assessments, GE said it has determined that "only a very limited number" of its products are potentially impacted by a subset of the vulnerabilities. It will provide further information and updates on its Product Security Portal.

Varian

Varian uses the PTC software as part of its SmartConnect remote support and installation service. In a cybersecurity advisory, Varian said that its cybersecurity experts are analyzing and addressing potential impact to its products.

"When appropriate, Varian provides updates to fix the vulnerability, or specific countermeasures for products where fixes are not yet available," Varian said.

It has also posted two articles on the vulnerability in its MyVarian customer portal.

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
IS
Ransomware affects emergency radiology workflows
2016 09 02 09 36 05 93 Fda Logo V2 400
PACS/VNA
FDA issues new draft cybersecurity guidance
2020 07 28 23 23 5650 Business Hands Cooperation 400
Radiation Oncology/Therapy
GE joins forces with Elekta in radiation oncology
2022 03 14 21 27 0247 Internet Digital Security 400
IS
Security advisory issued for Philips' MRI software
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page