Breast & Skeletal Products Cybersecurity

Breast & Skeletal Products Cybersecurity

The values of patient safety and integrity long associated with women’s health and well-being through early detection and treatment require a strong focus on cybersecurity to protect the promises inherent in an interconnected, data-driven healthcare model. At Hologic, we engineer and deliver products and solutions that improve the lives of women across the globe. Our goal is to ensure our products and solutions meet the highest security standards and that commitment governs how we approach cybersecurity across our business.

Security Advisory

CVE-2023-4863 Vulnerability Statement - October 12, 2023

Overview:
Hologic is actively investigating recent Libwebp vulnerability CVE-2023-4863 and has determined, at this time, low risk of impact for our devices when used as intended for designed medical workflow. Our medical software does not encode or decode images in the WebP format. We do, however, include third-party software that has been found to include the impacted component, as described below. We will update this advisory as required.

Background:
Libwebp is an open-source package created to support encoding and decoding the WebP image format. Libwebp version 1.3.2 and lower are impacted by this vulnerability with remote code execution potential and known active exploitation. It is rated as an 8.8 High CVSS 3.x severity in the National Vulnerability Database (NVD). The Libwebp package is used in many popular applications, as well as the popular Electron app framework. The most impactful software where this component has been identified is many popular web browsers - Google Chrome, Microsoft Edge, and Mozilla Firefox. Internet Explorer does not appear to be impacted.

Impact Details:
No impact has been found to Hologic developed medical device software at this time. As stated above, products are not performing processing of Webp images. However, many of our Breast & Skeletal Health products leverage the Google Chrome web browser for registration of our remote servicing software, Unifi Connect. The installation of Chrome defaults to automatic updates. If the network is configured to allow these updates, it should be automatically updated to address the vulnerability. Furthermore, general web browsing is not recommended or supported in the intended use design, making risk of impact here low.

The vulnerable Libwebp library has also been found in the Operating System of the SecurXChange Router product. The product leverages Ubuntu and an update for the package is already available, as described in their security advisory USN-6369-2, linked below.

Recommendations:
Hologic recommends that customers check product devices for the presence of Google Chrome and, if installed, ensure update of the browser has been performed. If it has not, force the update manually. To resolve this vulnerability, Google Chrome must be v116.0.5845.187 or higher.

For SecurXChange product systems at v4.1.x or higher, perform the following steps to update the Operating System:

  1. Log into SecurXchange web applicate as an admin user.
  2. Navigate to Administration -> System -> Software Updates.
  3. Click "Download Updates..." button.
  4. At the prompt, select "Security Updates" and click OK.
  5. Once download completes, click "Install Updates".
  6. At the prompt, select "Install Now" and click OK.
  7. Wait for the installation to complete and for the web application to restart.
     

For SecurXChange product systems at versions lower than 4.1.x, system should be upgraded for continued security patch support.

Resources:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog (search for CVE-2023-4863)
https://ubuntu.com/security/notices/USN-6369-2
 

Hologic Cybersecurity - Validated Microsoft Monthly Critical Patch Releases

Validated Microsoft Monthly Critical Patch Releases

Patches validated for installation on Hologic Breast and Skeletal Health systems
Hologic Cybersecurity - MDS2 Forms

MDS2 Forms

Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms for Hologic Breast and Skeletal Health systems
Hologic Cybersecurity - Cybersecurity Reports and Best Practices

Cybersecurity Reports and Best Practices

Corporate and product-specific cybersecurity reports and best practices documentation for Hologic Breast and Skeletal Health systems
Hologic Cybersecurity - Antivirus Installation and Configuration Guides

Antivirus Installation and Configuration Guides

Information for installing and configuring Antivirus Software on Hologic Breast and Skeletal Health systems

Additional Security Advisories

MOVEit Transfer Vulnerability Statement - July 14, 2023

Hologic has been monitoring multiple critical MOVEit Transfer vulnerabilities and has found no known impact to Breast & Skeletal Health products. The MOVEit Transfer software is neither included on products, nor used in the development or servicing environment.

MOVEit Transfer file share solution is said to be leveraged by numerous organizations across the Healthcare sector, as well as United States federal agencies. One recent MOVEit Transfer SQL injection vulnerability, CVE-2023-34362, has been found to be actively exploited and added to the CISA Known Exploited Vulnerabilities Catalog. For customers using MOVEit Transfer, we recommend immediate investigation and remediation to safeguard sensitive data and protected health information. A list of recent vulnerabilities is included below for your convenience, with links to more information.

CVE-2023-36934 (July 5, 2023 - 9.1 Critical)

NVD - CVE-2023-36934 (nist.gov)

MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) - Progress Community

CVE-2023-36933 (July 5, 2023)

NVD - CVE-2023-36933 (nist.gov)

MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) - Progress Community

CVE-2023-36932 (July 5, 2023)

NVD - CVE-2023-36932 (nist.gov)

MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) - Progress Community

CVE-2023-35708 (June 16, 2023 - 9.8 Critical)
https://nvd.nist.gov/vuln/detail/CVE-2023-35708
https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

CVE-2023-35036 (June 11, 2023 - 9.1 Critical)
https://nvd.nist.gov/vuln/detail/CVE-2023-35036
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023

CVE-2023-34362 (June 2, 2023 - 9.8 Critical – Known Exploited)
https://nvd.nist.gov/vuln/detail/CVE-2023-34362
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

CVE-2023-30394 (May 11, 2023 - 6.1 Medium)
https://nvd.nist.gov/vuln/detail/CVE-2023-30394

PTC Axeda agent and Axeda Desktop Server, ICSA-22-067-01 - March 15, 2022

Hologic is monitoring the latest security vulnerability ICSA-22-067-01, impacting the PTC Axeda agent and Axeda Desktop Server.

The identified vulnerability affects all Hologic product systems that have Hologic Connect™ installed. We believe the risk to our products is low, as these products are not internet facing.

Immediate mitigation strategies include removing the Axeda agent service, the Axeda Desktop Server service and deleting the associated vulnerable files from our systems. Detailed instructions for performing the recommended mitigation can be found in CTB-01038.

Hologic is already in the process of transitioning its products away from the PTC Axeda products in favor of Unifi™ Connect, a more secure remote access platform, which Hologic will be prioritizing for all customers to minimize any impacts to product servicing.

Apache Log4J Security Vulnerability - December 16, 2021

Hologic is closely monitoring the situation known as Log4Shell, impacting Apache Log4J as part of CVE-2021-44228. This is a serious vulnerability affecting systems across the world, has remote execution potential, low skill requirements for exploit, and has received a rating of critical (10). Log4J is a popular open-source logging framework for Java applications.

Currently, versions 2.0 to 2.14 of Log4J are deemed to be at risk by researchers. Versions 1.x of Log4J are not deemed at risk at this time. Apache has released an update for Log4J, first v2.15 and then v2.16, to address this vulnerability. For more information, please visit the Apache logging services log4j security page https://logging.apache.org/log4j/2.x/security.html.

Hologic will update this guidance for Breast & Skeletal Health products as more information is obtained. If you require any assistance with our products, please contact Hologic Support.

Impacted Products and recommendation:

  •  Advanced Workflow Manager (AWM)

    While the Hologic software itself does not utilize Java/Log4J, the installed APC PowerChute UPS with Business Edition v9.5 software installed may. APC is still assessing its PowerChute software to determine if it is vulnerable. 

    Out of an abundance of caution, Hologic recommends uninstalling the APC PowerChute software until APC provides further guidance, which Hologic is monitoring at https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
     

  •  Unifi Workspace

    While the Hologic software itself does not utilize Java/Log4J, the optionally installed APC PowerChute UPS with Business Edition v9.5 software installed may. APC is still assessing its PowerChute software to determine if it is vulnerable.

    Out of an abundance of caution, Hologic recommends uninstalling the APC PowerChute software until APC provides further guidance, which Hologic is monitoring at https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

    For the above mentioned Advanced Workflow Manager and Unifi Workspace products, Hologic has released CTB-00996 to provide Hologic customers, field engineers, and technical support engineers with instructions for removing affected versions of APC PowerChute™ software as a means of mitigating potential risk from the Log4J vulnerability. Click here to download: CTB-00996 Log4J Vulnerability Risk Mitigation
     

  • Faxitron CT Specimen Radiography System

    While the Hologic software itself does not utilize Java/Log4J, there is a utility program installed that may utilize Java and Log4J. This utility program does not run on startup and is not required for system operation. Please contact Hologic Service for assistance in removing this program.

Products with no detected impact:

  • Dimensions / 3Dimensions Mammography System
  • Affirm Prone Biopsy System
  • Brevera Breast Biopsy System
  • Trident HD Specimen Radiography System
  • SecurView DX/RT Workstation and Manager
  • Cenova Image Analytics Server (CAD)
  • SecurXChange Router    
  • Rosetta DC Tomosynthesis Data Converter
  • Faxitron Specimen Radiography Systems
  • Horizon DXA Bone Densitometer
  • Discovery Bone Densitometer
  • Fluoroscan Insight Mini C-Arm
  • SuperSonic Imagine Ultrasound Products (Aixplorer & Aixplorer Mach)
  • Windows Selenia Mammography System

Ransomware Activity Targeting the Healthcare and Public Health Sector - October 30, 2020

Hologic is closely monitoring the situation of malware/ransomware named Ryuk, Conti, and others targeting the healthcare and public health sector. The most common method of ransomware distribution is through spam or phishing emails. 

Hologic Breast and Skeletal products do not contain email clients and are significantly hardened to limit exploitation from this and other malware by disabling many of the services that malware can use to propagate across a network.

We recommend all customers to continue following cybersecurity best practices, including the use of firewalls, restricting external internet access, running updated anti-virus software, and keeping validated security patches up to date. 

For more information, please visit https://us-cert.cisa.gov/ncas/alerts/aa20-302a
 

EXPLORE ADDITIONAL SUPPORT LINKS