The healthcare sector is among the many organisations that have been targeted by cybersecurity attacks, including hospitals that hold a massive number of confidential patient data that could be exposed to data leaks when software vulnerabilities arise.
Nonetheless, hackers still prefer targeting the sectors that would provide them with surefire financial profit and tend to ignore health institutions that would likely give lesser turnover. Though it is advised that the security vulnerabilities of these institutions should not be ignored since they still possess important records of patients and other valuable data that threat actors may go after.
In related news, some machines under the healthcare solutions firm Aethon were found with five critical vulnerabilities in their TUG or mobile robots that aid hospitals in daily operations.
These TUG or mobile robots run errands for servicing hospitals, such as cleaning, delivering linen to patient rooms, medicine delivery, and other supplies needed by the healthcare staff and patients.
The five critical vulnerabilities were found during an audit for a healthcare provider that uses the TUG robots. These flaws have allowed hackers to control them into doing malicious activities like taking photos, prying on real-time camera recordings, accessing sensitive records, disrupting the delivery of health-related supplies, and more that could affect services to patients.
Now assigned as CVEs, the five flaws found in the hospital mobile robots include CVE-2022-1066, CVE-2022-26423, CVE-2022-27494, CVE-2022-1070, and CVE-2022-1059.
The description of these vulnerabilities includes allowing attackers to modify existing user accounts or add new ones, allowing them access to hashed credentials, allowing XSS attackers to activate report pages, allowing attackers to access the TUG Home Base Server and control the robots, and exposure to reflected XSS attacks due to unneutralised user-controlled input in a web portal.
Even though the healthcare provider that used the robots were disconnected from the internet, experts explained that several other hospitals had robots connected online, which could be controlled remotely from a research lab.
Upon getting notified about the vulnerabilities in their TUG robots, the healthcare solutions firm Aethon, and their team of security experts have developed suitable patches to fix and update the machines to the latest version. The healthcare solutions firm also established firewall updates within their client hospitals to limit public access and exposure to possible attacks.