1,400 vulnerabilities found in CareFusion medical equipment

An ICS-CERT advisory has alerted the public of vulnerabilities found in CareFusion’s Pyxis SupplyStation system (a product that dispenses medical supplies, but does not dispense medication). The flaw could allow for remote exploitation, and due to the affected versions of the system being end-of-life it appears unlikely that they will be patched. CareFusion is offering customers not pursing the remediation path of upgrading devices, compensating measures to help reduce the risk of exploitation.

Fraser Kyne, Regional Systems Engineering Director at Bromium offered @DFMag the following expert opinion,

“This vulnerability announcement provides further proof of the dangers of continuing to use unprotected, out of support Operating Systems and tools. However, all businesses (and particularly hospitals) are faced with the need to avoid costs by sweating their computing tools and assets for as long as possible.

The report states clearly that “These vulnerabilities could be exploited remotely”, and provides sane advice such as “Isolate affected products from the Internet and untrusted systems”. The problem is that we want to use our systems to run critical secure processes, and at the same time we want to run completely unsafe processes such as web browsing and email on the same devices. Isolation is a solid security principle, but we shouldn’t have to compromise between security and functionality.

There are ways to achieve this isolation with today’s technology, hardware and Operating Systems – so that we can really get the best of both worlds. However, to achieve this we have to take a step forward from the past, and realise that it’s not possible to simply place a band-aid over the truly legacy systems on our networks.

So, isolation is the best approach. Either isolate the as-is affected systems as advised, or move to a hardware-isolation model on current OS and hardware that will allow you to blend security and functionality; and to avoid such threats in the future.”

Details on CareFusion products security and privacy is located here.

Specific info for end of life Pyxis SupplyStation can be found here.