| Catalog Number 05530199190 |
| Device Problem
Unauthorized Access to Computer System (3025)
|
| Patient Problem
No Consequences Or Impact To Patient (2199)
|
| Event Date 07/01/2018 |
|
Event Type
malfunction
|
|
Manufacturer Narrative
|
|
Medwatch field occupation - the occupation is medical equipment company technician/representative.
|
| |
|
Event Description
|
|
An internal investigation has determined that coaguchek xs pro meters are vulnerable to a cybersecurity or data breach.This was discovered during roche internal investigations in conjunction with a cybersecurity consultant.The internal investigation determined that significant product and cybersecurity knowledge is needed to exploit these vulnerabilities.The consultant was able to reverse engineer the service password generator.The consultant was also able to execute code through a hidden command.The investigation determined the following: deletion of protected health information may be possible; modification of protected health information may be possible; changing the units of measure may be possible; the vulnerabilities can be exploited independently or in combination.In the worst case scenario, the medical risk is high.The probability of this type of event occurring is low (criminal intent, theft of the device, entering the firewall, etc.).The likelihood of occurrence of a successful attack is deemed low to theoretical with installations secured in accordance with roche cyber security recommendations.There have been no reports of actual occurrence in the field.
|
| |
|
Manufacturer Narrative
|
|
Successful exploitation of the vulnerabilities may have the following consequences: protected health information and other personally identifiable information on the devices may be disclosed and therefore cause violation of data protection laws.Crashed or corrupted devices may disrupt operation in the healthcare delivery organization.Manipulated result data may lead to wrong diagnosis and treatment of patients.The attack complexity has been assessed as high, as attackers with criminal intent would need to physically or logically compromise the healthcare network, perform extensive reverse engineering to disclose the vulnerabilities and develop targeted exploit code based on in-depth technical knowledge about the roche products to successfully exploit the vulnerabilities.Likelihood of occurrence of a successful attack is deemed low to theoretical with installations secured in accordance with roche cyber security recommendations.The attack can only be detected by chance.Since it needs criminal intent an attacker will try to hide his activities as much as possible.The product itself is not defective.The patient results would only be affected (by changing value/unit etc.) due to intentionally induced malfunctions by third parties.To be able to affect patient results the device needs to be manipulated/misused purposefully in an illegal way.If an attacker succeeds in altering patient results either by a direct attack or by implementing malicious software, a subsequent medical risk for point of care diagnostics cannot be excluded.
|
| |
|
Search Alerts/Recalls
|
