Siemens Restricting Access to Healthineers Cybersecurity Advisories?

It looks like Siemens is taking the unusual (for Siemens) step of limiting access to cybersecurity advisories for their Healthineer products by publishing those advisories on a customer restricted access web site. Previously issued advisories are still publicly available on the Siemens CERT web page. It is not clear if future Healthineer advisories will continue to be published in that public forum.

The Announcement

Yesterday Siemens announced on TWITTER® that: “Starting by October 15 all topics related to the Siemens Healthineers Cyber Security (including security advisories) will be published at the Siemens Healthineers Cyber Security webpage”. The link provided takes you to the following statement:

“Security publications Siemens Healthineers Security Advisories: All current Siemens Healthineers reports of security issues and Security Advisories for validated security vulnerabilities that directly involve our products and require applying an update, performing an upgrade, or other customer action can be found at the Siemens Healthineers LifeNet customer online portal.”

That LifeNet customer online portal is currently accessible only to registered users. I attempted to register and received the following in an email from Suzanne Blevins, Siemens Medical Solutions USA, Inc., LifeNet Support Team:

“We are only able to provide LifeNet to customers that own Siemens equipement. I am not able to find any equipment owned by your company.”

I have sent an email to Siemens Medical Solutions requesting clarification.

Commentary

Okay, let me start by saying that Siemens (and any other company) can publish their cybersecurity advisories in whatever venue they deem most appropriate, as long as users of the affected equipment can reasonably be expected to be able to access that information in a timely manner to make appropriate risk assessment decisions about the disclosed vulnerabilities.

I suspect that this is an issue of protecting the safety of patients, and one is hard pressed to find a group more worthy of protection; especially since many (vast majority?) of the patients have nothing to do with the selection, operation, maintenance or security of the devices into which their care is placed.

One just has to look at the most recent Healthineers advisory concerning the DejaBlue vulnerabilities in Healthineer products. The advisory was published on August 9^th, 2019. The advisory notes that most of the affected products can be fixed by applying Microsoft® patches available when the advisory was published. But it also noted that at least two of the affected products would need Siemens patches that would not be available for months, and for another product Siemens recommended disabling the RDP functionality of the device. Arguably, the publication of this advisory may have increased the risk for some of the patients using the currently unfixable products.

While this is type of risk problem is also found in many of the industrial product advisories published by Siemens (as we can see in the large number of periodic updates published providing mitigation measures for yet another covered product on the original vulnerability list), the situation is a tad bit different. One should expect owners of industrial control system devices to be better masters of their cybersecurity environment than are patients hooked up to medical devices.

I am concerned, however, about how well Siemens will be able to communicate their advisories to the medical device owners. While Siemens may be able to push advisories to registered owners (and I do not know that they will be pushing advisories as opposed to just statically publishing them on their LifeNet web site) the reality of the situation is that Siemens has no way to track who is using their devices once they are sold to the initial customer (see for example this  2005 Siemens 1.5T Magnetom Espree for sale on Ebay). How is Siemens going to deal with ensuring that owners of devices sold in the aftermarket get these advisories?

Siemens has been proactive in publicly publishing cybersecurity advisories across their entire product line. Not only do they publish advisories for vulnerabilities reported by independent security researchers (directly reported or coordinated through a variety of CERTS), but they also self-disclose vulnerabilities in many of their advisories. I expect that this will continue. But if Siemens is restricting access to their Healthineer advisories to just registered owners gadflies like myself and security researchers are not going to be able to monitor their security efforts to make sure that they are taking all appropriate steps to protect the patients from undue cybersecurity risks.