German industrial group Siemens expects to update software in some of its medical scanners by the end of the month to deal with vulnerabilities that could, in theory, allow some of this equipment to be hacked, a company spokesman said on Monday.
Last week, the US Department of Homeland Security issued a security notice warning that “an attacker with a low skill would be able to exploit these vulnerabilities” using known weaknesses that exist in older Windows software.
The Siemens spokesman said no evidence of any attack had been found.
Siemens’ action provides more evidence of a growing focus on preventing cyber-attacks on medical equipment, which for years ranked low on the list of potential hacking targets.
The vulnerabilities identified by Siemens were in its PET (positron emission tomography) scanners that run on Microsoft Windows 7, which could be exploited remotely.
PET scanners help to reveal how tissues and organs are functioning by using a radioactive drug to trace activity. They can reveal or assess cancer, heart disease and brain disorders.
Initially, the Munich-based company advised hospital and other medical customers to disconnect the scanners until a update was released.
But the company spokesman said on Monday that after further review, it no longer believed disconnecting the scanners was necessary.
Siemens has assigned a security severity rating of 9.8 out of 10, using the open industry standard CVSS (Common Vulnerability Scoring System) risk assessment system, according to the US security notice.
“Based on the existing controls of the devices and use conditions, we believe the vulnerabilities do not result in any elevated patient risk,” Siemens said. “To date, there have been no reports of exploitation of the identified vulnerabilities on any system installation worldwide.”
Large imaging machines such as PET scanners are typically not directly connected to the Internet but are connected to clinical IT systems, which can be infected, for example, by an email attachment sent to a different part of the system.
“It’s pretty serious,” UK-based independent computer security analyst Graham Cluley said. “It does seem that these vulnerabilities can be exploited remotely and rather trivially.”
He said hospitals in general were badly protected against hacking, partly because of underfunding and partly because some older medical machines are not compatible with the latest versions of software operating systems.
The globalWannaCrycyber-attack in May highlighted the vulnerability of medical systems when it caused major disruption to X-ray machines and other computer equipment in Britain’s National Health Service, forcing hospitals to turn away patients.
Earlier this year, Abbott Laboratories moved to protect patients with its St. Jude heart implants against possible cyber attacks, releasing a software patch that the firm said would reduce the “extremely low” chance of them being hacked.
Siemens plans a public listing for its healthcare unit, Healthineers, next year. The IPO is expected to value the business at up to EUR 40 billion ($47 billion).