zum Inhalt springen

Multiple vulnerabilities in the Hospital Information System (HIS) KISIM of CISTEC AG

Swiss Health Sector

NTCF:
NTCF-2023-78452

Product:
KISIM

Vendor:
CISTEC AG

Criticality:
high

Status:
fixed

Discovered:
2023-12-04

Detail:
Public

Vulnerable version:
<=5.6.0.3

Fixed version:
5.6.0.4

Description

Multiple vulnerabilities have been identified in the Hospital Information System (HIS) KISIM of CISTEC AG.

According to the CISTEC, all relevant vulnerabilities have been fixed or mitigated in KISIM version 5.6.0.4.

In accordance with NTC Vulnerability Disclosure Policy, the details of these vulnerabilities will not be publicly disclosed.
Affected hospitals can find detailed information on the identified vulnerabilities and recommendations on the NCSC's Cyber Security Hub, which is available free of charge to all Swiss operators of critical infrastructure, which includes hospitals: Cyber Security Hub. Alternatively, CISTEC or the NTC can provide further information to the affected organisations.

The NTC has published a summary report on the security of hospital information systems: Summary Report HIS.

Timeline

2023-12-04: initial discovery

2023-12-15: private disclosure

2024-09-04: fix by vendor

2024-11-26: Cyber Security Hub publication

2025-01-23: public disclosure