Español
Français
Deutsch
Italiano
Português
Cardiology
Acute Care
Private Clinic
Patient Monitoring
Emergency department
Intensive care unit
Neonatal
Perioperative care
Rural Health
Keeping caregivers safe 
Care Team Performance
TeamUp Strategies
Runway Architecture
Decisive Intelligence
Clinical Informatics
Patient Measurement
Clinical education
Clinical Tech Toolbox
eLearning
Spacelabs Ambulatory ECG Analyser Course
Technical training
Open a support ticket
Product manuals
Cleaning instructions
Eclipse Utility Tool
Supplier change request
ABP monitoring supplies
Batteries
Bispectral Index (BISx)
Capnography and multigas 
Cardiac output supplies
ECG supplies (AAMI)
Holter ECG supplies
IBP supplies
NIBP supplies
Paper supplies
Pressure Infusion supplies
Resting ECG supplies
SpO2 pulse oximetry 
Temperature supplies
90217A Ultralite
AriaTele
CardioExpress SL18A
CardioPulse Go
CardioPulse Prime
DM4
Eclipse Mini
Eclipse Pro
Evo
Lifecard CF
Qube and Qube Mini supplies
Xprezzon supplies
Contact us
Regional contacts
Our heritage
Senior management
News and Events
Patents and trademarks
Quality and ISO certificates
Careers
Terms and policies| Publication Version | Publication Notes/Changes | Publish Date |
| 1.0 | Initial publication | October 30, 2020 |
Spacelabs Healthcare has been made aware of a malware (sometimes called “ransomware”) campaign attributed to the Ryuk group impacting healthcare and public sector organizations. The Ryuk group and their malware campaigns have been known in the industry for several years and have a history of success in exploiting and impacting businesses and IT operations. Spacelabs has conducted an assessment to identify the potential impact to our products in this attack, including if a product can be maliciously encrypted or used as a vector to spread the malware.
Current threat analyses of the Ryuk group’s latest campaign are finding that the malware primarily targets devices running Windows operating systems. Initial reported compromises have been attributed to successful email phishing campaigns, followed by exploitation of several common Windows services such as Remote Desktop Protocol (RDP) and network file shares to propagate the malware. A joint cybersecurity advisory has been published by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) regarding the current Ryuk malware campaign:
Spacelabs recommends the following defenses and mitigations be applied to an enterprise environment.
- Train employees on social engineering and phishing techniques. Have a policy or process in place to report suspicious emails to the appropriate event and incident responders.
- Apply applicable patches, hotfixes, and updates to servers and products when available and after they have been validated.
- Implement defense-in-depth within the enterprise environment consisting of tools such as Intrusion Detection/Prevention Systems (IDS/IPS), firewalls, and network access control (NAC).
- Implement and maintain an anti-malware solution (also called “anti-virus”) and an endpoint detection and response (EDR) solution.
- Disable remote access services and protocols such as Remote Desktop Protocol (RDP) unless needed. Monitor and restrict remote access usage on a least privilege basis.
- Have backup and restore processes and procedures in place for disaster recovery and incident response.
- Monitor and maintain account provisioning and access control based on the principle of least privilege.
- Block suspicious external IP addresses at the enterprise firewalls. Monitor traffic internally for unusual behavior.
In response to the latest Ryuk campaign, Spacelabs has conducted an assessment to identify devices potentially at risk for this ransomware campaign. Please note information is subject to change as the situation evolves.
Patient Monitoring and Connectivity Products
| Product | Host Operating System | Impact Assessment |
| XprezzNet 96190 | Windows Server 2012 R2, Windows Server 2016 | XprezzNet software is not directly impacted by this campaign. However, XprezzNet is hosted in the customer’s environment. It is the customer’s responsibility to manage the security of the host environment. Windows patch qualifications are available on our customer web portal. |
| Intesys Clinical Suite (ICS) | Windows Server 2012 R2, Windows Server 2016 | ICS software is not directly impacted by this campaign. ICS products are hosted in the customer’s environment. It is the customer’s responsibility to manage the security of the host environment. Windows patch qualifications are available on our customer web portal. |
| Xhibit Telemetry Receiver (XTR) 96280 | Windows Embedded Standard 7 SP1 | Version 1.2.1- No risk due to system architecture and hardening. It is recommended to have the XTR devices on their own isolated network or as part of a controlled monitoring network, separate from an enterprise network. |
| Xhibit 96102 / XC4 96501 | Windows Embedded Standard 7 SP1 | Version V1.3.5 – No risk due to system architecture and hardening. It is recommended to have the Xhibit/XC4 devices on a controlled monitoring network, separate from an enterprise network. |
Bedside Monitors
|
VxWorks 6.6 | Not at risk due to system architecture. |
Diagnostic Cardiology Products
| Product | Host Operating System | Impact Assessment |
| Sentinel | Windows 7 & 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 | Sentinel is not directly impacted by this campaign. However, Sentinel is hosted in the customers environment. It is the customer’s responsibility to manage the security of the host environment. Windows patch qualifications are available on our customer web portal.
|
| Pathfinder SL | Windows 7, Windows 10 | Pathfinder SL is not directly impacted by this campaign. However, Pathfinder SL is hosted in the customers environment. It is the customer’s responsibility to manage the security of the host environment. Windows patch qualifications are available on our customer web portal.
|
| Lifecard CF | No OS | Not at risk due to system architecture.
|
| EVO | No OS | Not at risk due to system architecture. |
| CardioExpress SL6A SL12A / CardioExpress SL18A | Embedded OS | Not at risk due to system architecture |
ABP
|
No OS | Not at risk due to system architecture. |
Additional Resources
- Spacelabs Cybersecurity Information
https://spacelabshealthcare.com/products/security/
- Spacelabs Security Advisories
https://spacelabshealthcare.com/products/security/security-advisories-and-archives/
- Spacelabs Patch Qualification Customer Portal
https://spacelabshealthcare.com/products/security/patch-test-reports-access-form/?redirect_to=%2Fproducts%2Fsecurity%2Fpatch-test-reports%2F
- Microsoft Blog on Trickbot Botnet (used to distribute the Ryuk malware)
https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
- Further details about the Ryuk group
https://www.hhs.gov/sites/default/files/ryuk-update.pdf.
- Technical breakdown of the latest threat intel
https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/