A global security company has identified nine vulnerabilities affecting pneumatic tube systems (PTS), a network of tubes through which small objects, medications, blood samples, etc. can be transported throughout a hospital or provider facility. Armis reports that these vulnerabilities, which have been found in Swisslog’s Translogic PTS, allow for the takeover of the control panel, and thereby the PTS network within a facility.
By taking over the PTS network, attackers can access a wealth of private data. To protect your system, be sure to include these vulnerabilities when conducting periodic reviews or assessments:
- Elevated access vulnerability (i.e., those users with greater access control/rights are highly targeted and more vulnerable to attack)
- Vulnerabilities related to hard-coded passwords (accessible with Telnet)
- Denial-of-service vulnerability
- Lack of multi-factor authentication
- Memory corruption bugs
- Lack of file validation for files uploaded as updates
What These Vulnerabilities Mean
When radio frequency identification (RFID) cards are used to access the PTS,
there is an increased risk of secondary attacks, as the vulnerable systems often integrate with RFID and other IT systems in hospitals, allowing for lateral movement on the network.
Additionally, access to the PTS system can allow an attacker to modify system settings, such as the speed of transport. Modification of this setting could cause damage to fragile samples that would be transported through the pneumatic system.
Actions You Can Take
By restricting access to the networks that contain these systems via firewalls, protecting virtual Local Area Networks (VLANS), and turning off Telnet to these devices, administrators can reduce the attack surface. This will result in lowering the likelihood of a successful attack. In addition, monitoring traffic for indications of possible exploitation attempts should be added to the PTS log review and alerting systems.
How PYA Can Help
PYA can assist your organization with its cybersecurity and IT needs. With experienced CIO, CTO, and CISO professionals, our IT Risk Management team goes beyond checklists to analyze critical system and technology controls. Our comprehensive risk management program, Overwatch, addresses all elements of IT infrastructure, process assessments, data governance, and risk management. To learn more, contact a member of PYA’s IT Risk Management team below at (800) 270-9629.