After computers and smart appliances, the pneumatic tube system in hospitals used to transport blood samples and medicines are vulnerable to critical cyberattacks. The complete set of nine vulnerabilities is known as PwnedPiper that can even be responsible for a complete takeover of the hospital system.
This weakness was disclosed by Armis, the American cybersecurity firm which claimed that the Translogic PTS systems installed by Swisslog Healthcare were vulnerable to attacks. This system, being among the best in the world, is installed in about 80% of major hospitals in the US and around 3000 hospitals across the globe.
How Bad are These Vulnerabilities?
Armis’ research team includes experts Ben Seri and Barak Hadad who claim that a threat actor can hack into the Translogic PTS stations and take over the complete PTS network of the target hospital. Further, the attacker can leak hospital data or initiate the process for a Ransomware attack.
As you all know the PTS were designed as internal logistics and transport systems that were used to transfer blood, tissue, and other lab samples to diagnostic laboratories. If this system was exploited successfully, then important data could be leaked, information could be manipulated, Ransomware deployed and carried out MitM (man in the middle) attack that could shut down the operations of a hospital.
For a complete report on PwnedPiper, click here
How did Swisslog Healthcare Respond?
Swisslog Healthcare responded by stating that the pneumatic tube stations can only be compromised if the malicious actor has access to the hospital’s information technology network. The firmware is deployed at the PTS nodes, and this means that the hacker can cause additional damage only if he/she can leverage these exploits.
It has also recommended to all its customers to update to the latest firmware which is the Nexus Control Panel version 184.108.40.206. This will ward off any potential risk that may occur due to shortcomings in the real-world scenario.
How Did Armis and Swisslog Work Together on This Concerning Matter?
Armis contacted Swisslog on the 1st of May 2021 and submitted its report. They have been working together ever since to develop patches that could secure the PTS worldwide just by updating the firmware. The teams have worked day and night to fix this vulnerability and ensure that the systems are secured from attackers.
Another interesting discovery shed light on the fact that the vulnerabilities were limited to the
The HMI-3 circuit board was placed inside NexusTM Panels to connect to Ethernet. These types of machines are primarily deployed in hospitals located in the North American region.
The Chief Privacy Officer for Swisslog Healthcare is Jennie McQuade who has identified the fact that these vulnerabilities come into existence when there is a certain combination of variables only and does not occur in all devices. She also stated that the pneumatic tube stations where potential compromise can occur will only be true if the malicious actor can access the hospital’s IT network easily which is a fault on the facility’s end.
The company has “researched, reviewed, and confirmed potential vulnerabilities which could impact healthcare facilities currently using hardware containing the HMI3 panel when connected via Ethernet,” she states.“Swisslog Healthcare is committed to continually monitoring our security programs and industry trends to offer proactive protection to our customers,” she states. “We are grateful to be a trusted provider of healthcare institutions around the world.”
The vulnerabilities have been removed by releasing software that would update the firmware. Mitigations for the remaining vulnerability were made by documenting the details in the company’s Network Communications and Deployment Guide that is readily available to customers.
The Swisslog Customer Care Team is available to current customers 24 hours, 7 days a week, to answer any questions, by calling 800-396-9666.
The Final Word On Hospitals Now Face Security Threats Over PTS Stations
The hospitals have always been focussing on patient care with the best technology and medicines. However, they must also focus on operations and infrastructure as it would help to secure healthcare environments. Along with the patient, any data regarding the patient is also the hospital’s responsibility, and to maintain this privacy and secrecy, the hospital must keep its system updated at all times. Follow us on social media – Facebook, Instagram and YouTube.