INFORMATION TECHNOLOGY ADVISORY

February 29, 2024

Important Update on Mirth Connect Cybersecurity Vulnerability

The purpose of this advisory is to provide an update regarding the Mirth Connect cybersecurity vulnerability.  

Bayer has performed an initial assessment of the recently disclosed remote code execution vulnerabilities affecting Mirth Connect versions prior to 4.4.1 (CVE-2023-37679 and CVE-2023-43208).  

After conducting a thorough analysis, we have determined that the following Bayer devices contain a vulnerable version of Mirth Connect:            
 

• MEDRAD^® Stellant FLEX CT Injection System
• MEDRAD^® Stellant CT Injection System with Certegra^® Workstation
• MEDRAD^® MRXperion MR Injection System

To date, we have not been notified that the operation of any Bayer device has been adversely impacted due to the Mirth Connect vulnerability.

Overview of Bayer response:        
To mitigate any future risk potential, Bayer will take one of the two actions outlined below to ensure that the Mirth Connect vulnerability is addressed in all fielded Bayer devices.

• Action 1: Patch deployment to Bayer devices connected to VirtualCARE^® Remote Support.
  • Bayer has validated and released a patch for the vulnerability for use with its devices.
  • Bayer's Technical Assistance Center may deliver the patch to customer devices with an active VirtualCare^® Remote Support connection. Remote patch delivery should result in minimal workflow disruption.
• Action 2: Patch deployment to Bayer devices not connected to VirtualCARE^® Remote Support.
  • Standalone devices or devices that are connected to the facility’s internal network, but not with VirtualCARE^® Remote Support, cannot be patched remotely.
  • If your unit cannot be patched remotely, please contact the Bayer Connectivity Team: tacvirtualcare@bayer.com to receive the patch. Alternatively, please contact our support team at 1-800-633-7237, x1 to schedule Bayer Service. Remote patch delivery should result in minimal workflow disruption.

For customers under a service agreement, the solution will be installed on your next service event. Customers without a service agreement can contact our support team at 1-800-633-7237, x1 to schedule Bayer Service.        
 

April 26, 2022

Important Update on Potential Cyber Security Vulnerability 

The purpose of this advisory is to provide an update regarding cybersecurity advisories received from several of Bayer’s third-party vendors and the potential for these vulnerabilities to impact Bayer connected devices and software, including MEDRAD^® Injection Systems and Radimetrics^® Dose Management Software.

Vulnerabilities

• Apache Log4j Vulnerability - “Log4Shell” (CVE-2021-44228)
• PTC Axeda Vulnerabilities - “Access:7” (CVE-2022-25246, CVE-2022-25247, CVE-2022-25248, CVE-2022-25249, CVE-2022-25250, CVE-2022-25251, CVE-2022-25252)
• Microsoft Windows 10 IKE Extension Remote Code Execution Vulnerability (CVE-2022-21849)
• Microsoft Windows 10 Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809)

Since learning of the vulnerabilities Bayer has conducted an assessment of the identified vulnerabilities, while developing an action plan for quick remediation for our customers.

As patient safety is our top priority, we conducted a comprehensive evaluation of scenarios that could result from a potential attack. Per the FDA guidance, we have determined that the risk of patient harm associated with these vulnerabilities falls into the category of controlled risk.

Overview of Bayer response:

Apache Log4j Vulnerability - “Log4Shell”, PTC Axeda Vulnerabilities - “Access:7”

• We have been working with urgency to minimize any potential impact to our customers and have deployed a patch to all Bayer devices connected to VirtualCARE^® Remote Support to address the PTC Axeda Agent Access:7/Log4j vulnerability. Injectors that have received this patch are no longer at risk for the specific vulnerabilities. Customers receiving a remote patch will receive an additional software update during their next preventative maintenance or service visit to update the product software on Bayer device(s) to the latest Product ISO Image.
• In addition, we have implemented a software update solution for devices not currently connected via VirtualCARE^® Remote Support. The solution will be deployed during your next Service visit.

Microsoft Windows 10 Vulnerabilities

• An ISO Image software update will be installed for customers at their healthcare institution who have products with potential impact. Due to the file size of the software image update there is no ability to patch remotely. Bayer will be in touch with customers to schedule this update or customer will receive the software update during their next preventative maintenance or on-site Service visit.

Products with Potential Impact

Below is a list of Bayer connected devices and software products with potential impact. *Products with an asterisk are VirtualCARE^® Remote Support enabled systems. If your enabled system has an active VirtualCARE^® connection, you are at risk for the vulnerabilities.

Medrad^® Intego PET Infusion System - Windows 10 ONLY 
*Medrad^® Stellant CT Injection System with Certegra^® Workstation 
*Medrad^® Stellant Flex CT Injection System 
*Medrad^® MRXperion MR Injection System 
Digital Solutions Platform 
*Radimetrics^® Dose Management Software 
VirtualCare^® Module

Thank you for your patience as we work to provide a software update to all customers with a potential impact. For questions, e-mail USdevicenotification@bayer.com or please contact the Bayer Device Notification Line, 1-877-229-3767.

Bayer is transitioning from Axeda to ThingWorx to continue delivering VirtualCARE^® Remote Support services to connected customers

March 28, 2022

Bayer has partnered with PTC to implement their latest generation ThingWorx IoT solution as the platform for our VirtualCARE services.

The PTC ThingWorx solution was identified as a leading IoT platform in the most recent Gartner Magic Quadrant Report.*

*Gartner Report - Published 18 October 2021 - ID G00738243 - 58 min read

For several years, Bayer has relied on PTC’s Axeda platform to securely deliver VirtualCARE^® Remote Support services to connected customer equipment and software through the cloud. PTC has announced that in the near future, it will no longer support Axeda, a first-generation platform. As a result, Bayer will be transitioning to ThingWorx, PTC’s next-generation connectivity platform, to continue to provide customers with VirtualCARE services while leveraging the latest available technology.

Bayer has completed the PTC cloud platform transition and is in process of updating their install base of devices to the latest release of ThingWorx.

What does my facility need to know about the transition to ThingWorx?

• Bayer will notify customers in advance of any updates as a part of the completion of the migration. Please continue to visit this Information Technology Advisory web page for ongoing updates.
• During the migration, customers should expect no interruption to the operation of their Bayer equipment and software. Bayer anticipates that any disruption to customers’ VirtualCARE services during the migration will be minimal.
• Bayer’s transition to ThingWorx will not impact contract pricing or entitlements for customers with active Bayer Service Agreement Program(s).
• Customer facilities using IP address(es), as opposed to domain names, in their corporate firewall rules to allow Bayer to deliver VirtualCARE services should prepare for the ThingWorx server IP addresses to change as a result of this transition. Bayer will provide the new addresses in follow-up communication via our whitepaper.
• After the transition to ThingWorx, Bayer will continue to deliver VirtualCARE Remote Support services that will provide improved levels of security that our customers have come to trust and depend on from Bayer.

We are committed to supporting our customers through the completion of the Axeda to ThingWorx IoT solution migration. If you have immediate questions or concerns, please contact the Bayer Technical Assistance Center for support.

Ripple20 Cybersecurity Vulnerabilities

July 20, 2020

Bayer has performed an initial assessment of the recently cited Ripple20 vulnerabilities discovered in the Treck TCP/IP stack, which have the potential to affect any device running on an Intel-manufactured processor.

Ripple20 and Radimetrics™ Dose Management:

After thorough analysis, Bayer has determined that Ripple20 could pose a threat to the Radimetrics Dose Management application.

The Radimetrics application is deployed on a virtual machine running on the customer’s hardware. The threat depends on the actual hardware deployment of the application, and the vulnerability of the specific Intel chips and firmware. Intel has released patches for these vulnerabilities, and Bayer recommends that customers review the Intel Security Advisory for specific hardware that is impacted, in order to determine their best course of action.

The following Intel CVEs pertain to a potential Denial-of-Service attack specific to only IPv6 implementations. If a Denial-of-Service attack occurs, the Radimetrics application follows its standard recovery process.

• CVE-2020-0594
• CVE-2020-0595
• CVE-2020-0597

The following CVEs pertain to information disclosure of DHCPv6 related data (network configuration data) on the local area network:

• CVE-2020-0596
• CVE-2020-8674

Ripple20 and Bayer Injection Systems:

Bayer is currently evaluating these vulnerabilities and assessing their potential to impact Bayer injection systems, including the MEDRAD^® Stellant FLEX CT Injection System, the MEDRAD^® Stellant CT Injection System with Certegra^® Workstation, the MEDRAD^® MRXperion MR Injection System, the MEDRAD^® Intego PET Infusion System and any system connected to VirtualCARE™ Remote Support.

To complete its evaluation, Bayer is in contact with its suppliers to determine if there is any impact to these devices. In general, the threat depends on the actual hardware deployment and the Treck TCP/IP stack implementation. Additional information regarding these vulnerabilities can be found at the CERT Coordination Center.

Bayer prioritizes product security and will share additional updates related to the Ripple20 vulnerabilities as needed. Please continue to visit this Information Technology Advisory web page for the latest information.

Apache Tomcat and Radimetrics™ Radiation Dose Management

July 20, 2020

Bayer has performed a risk assessment of the end of life Apache Tomcat Webserver Version 8.0.24, which is currently utilized in Bayer’s Radimetrics™ Radiation Dose Management application.

As a result of the assessment, we have determined that there are currently no publicly known vulnerabilities that could result in risk to the Radimetrics application. Additionally, Radimetrics employs the following controls to further mitigate the potential for risk:

• User name and password authentication are required for data access
• System and data access are restricted to authorized users only
• Access to patient data is recorded in log files
• Special configurations are required to send certain data to specific clients
• SSL encryption on web connections can be implemented at the customer’s request
• Host computer isolation via Virtual Machine functionality and data loss prevention/disaster recovery via optional backups/snapshots are enabled

Bayer is planning a Radimetrics software upgrade, which is expected to be released in 2020. This upgrade will include updates to Apache Tomcat, among other software components, as well as an enhanced user interface and additional product features.

If you have additional questions about how this Apache Tomcat product lifecycle milestone impacts your Radimetrics software, please contact the Bayer Technical Assistance Center.

SweynTooth Cybersecurity Vulnerabilities

March 10, 2020

The U.S. Food and Drug Administration (FDA) recently notified the healthcare community about the SweynTooth family of cybersecurity vulnerabilities, which are associated with Bluetooth Low Energy wireless communication technology and have the potential to impact medical devices.

To read the full notification, please visit the FDA press announcement web page and select the below titled article from March 3, 2020:

FDA Informs Patients, Providers and Manufacturers About Potential Cybersecurity Vulnerabilities in Certain Medical Devices with Bluetooth Low Energy

Given this announcement, we want to assure you that Bayer injection systems do not utilize Bluetooth. Therefore, the SweynTooth vulnerabilities do not pose a threat to any fielded Bayer injection system.

Important Update - AVG AntiVirus Software used with Bayer devices operating on Microsoft^® Windows 7

The purpose of this message is to provide you with an update on the Microsoft^® Windows 7 to Windows 10 transition plan for your Bayer device.

As previously communicated, although Microsoft will support Windows Embedded Standard 7 Service Pack 1 through October 13, 2020, the current AVG AntiVirus software protection on Bayer devices running this version of Windows 7 will expire on January 31, 2020.

The Bayer Service team has been working to transition customers to Windows 10 in advance of the Windows Embedded Standard 7 Service Pack 1 end of support date to ensure that all compatible fielded devices receive ongoing security updates and antivirus protection. As a reminder, any Bayer device running Windows 7 is operating on Windows Embedded Standard Service Pack 1.

In the interim, to ensure that customer devices running Windows 7 do not experience a lapse in antivirus coverage, Bayer will take the following immediate actions:

Customers with a Certegra^® Workstation or VirtualCARE™ Box operating on Windows 7 and actively connected to VirtualCARE™ Remote Support

Virtual Updates:

• Beginning the week of January 20, 2020, Bayer will remotely deliver a security update to all customers with Windows 7 to extend AVG antivirus protection for one year. This update will occur virtually, and customers will not notice any changes to their operating system, nor will they be required to reboot their Bayer device. The security update will not impact or disrupt any patient procedures.
• This update doesn’t impact the Windows 10 migration, which will still occur before October 2020. This extended protection will ensure the continued functionality of the AVG software until product software on the device is updated to Windows 10.

Customers with a Certegra^® Workstation or VirtualCARE™ Box operating on Windows 7 and not actively connected to VirtualCARE™ Remote Support

• As previously communicated, a Bayer Service representative will contact you to migrate your system to Windows 10 before October 13, 2020.
• If your Workstation isn’t connected to VirtualCARE™ Remote Support but is connected to your hospital network, please contact Bayer Service for an assessment of next steps related to the migration.
• If you have any other questions or concerns regarding the upgrade or your AVG software, please contact the Bayer Service at 1-877-229-3767.

Certegra^® Box

• As previously communicated, the Certegra^® box (legacy hardware used to enable informatics connectivity prior to the release of the Certegra^® Workstation) reached its end of life on January 1, 2020. End of life means that Bayer will no longer offer service or support, including antivirus updates, on the installed base of Certegra^® Boxes in the US.

Windows 10 Migration

Bayer remains committed to installing Microsoft^® Windows 10 on all compatible fielded devices, which will provide customers with antivirus protection through Microsoft Windows Defender. The Microsoft Windows migration applies to all customers. The transition will happen either through a product software update or an equipment platform upgrade.

For more information regarding the transition to Windows 10 for Bayer devices, please refer to the Information Technology Advisory from October 29, 2019 below.

Urgent/11 Vulnerability

November 22, 2019

Bayer has performed an assessment of the recently announced URGENT/11 vulnerability, which affects VxWorks. VxWorks is the most widely used real-time operating system(RTOS) in the world, and Bayer uses it in some of our devices. The vulnerability resides in the VxWorks TCP/IP stack(IPnet), impacting all versions since version 6.5.

Based on our analysis, we have determined that no Bayer devices are affected by the URGENT/11 vulnerability, due to the versions that we employ in our devices.

Product security and safety are of tremendous importance to Bayer, and we will continue to monitor the situation and the associated activity and provide updates, as needed.

Information on Orangeworm vulnerability

April 30, 2018

Bayer Radiology has performed an assessment of the below listed Orangeworm vulnerability, and, based on the current understanding and our internal research, we have determined that there is no immediate safety or security threat to Bayer Radiology medical devices, including MEDRAD^® Stellant and MEDRAD^® MRXperion control room units (Certegra^® Workstations), Certegra^® and VirtualCare™ devices, MEDRAD^® Intego, and Certegra^® Connect CT. This is due to the fact that the current primary attack vector is through phishing techniques, which are not supported on these Bayer Radiology medical devices. Bayer Radiology medical devices are not a primary entry point for a phishing-based attack such as Orangeworm, but are highly dependent on the strength of the network on which they are deployed. Bayer Radiology recommends regular network maintenance and patch updates to mitigate vulnerabilities, such as Orangeworm.

The Bayer Radiology Radimetrics™ Enterprise Platform is not impacted by this vulnerability, as it is a Linux-based system and does not rely on MS Windows.

We will continue to monitor the situation and the associated activity and provide updates as needed.

Information on Meltdown and Spectre security issue

January 15, 2018

Bayer Radiology is committed to product safety and security, and an integral element of the Bayer cyber response process is the ongoing global monitoring for cybersecurity signals. Bayer Radiology maintains a testing and monitoring infrastructure, complete with assessment and vulnerability analysis tools, that enables continuous awareness of industry threats. Currently, our Bayer Radiology CyberSecurity team is conducting risk and vulnerability assessments of the recently discovered Meltdown and Spectre vulnerabilities in order to determine potential impact on Bayer Radiology products.

Bayer Radiology will continue to monitor activity and updates associated with the Meltdown and Spectre vulnerabilities, including mitigation solutions being released by various entities. Bayer will continue to post updates regarding this security issue on this website. Customers 
requiring further assistance should call Bayer at 1-877-229-3767.