Password vulnerabilities within 300 medical devices from 40 vendors have been discovered by a pair of researchers from security vendor Cyclance, according to a recently issued Department of Homeland Security alert, FierceHealthIT reports (Bowman, FierceHealthIT, 6/21).
Experts have warned that the health care sector is among the industries most vulnerable to hacking and cyberattacks. An August 2012 report from the Government Accountability Office found that some medical devices -- such as defibrillators and insulin pumps -- are vulnerable to hacking (iHealthBeat, 6/13).
Details of the DHS Alert
Billy Rios and Terry McCorkle -- technical directors at Cyclance -- found exposed "backdoor passwords" on medical devices, such as:
- Mammography equipment;
- Infant incubators;
- Lab equipment;
- Infusion devices; and
- Patient monitors.
Rios said an "unauthorized and non-technical person can get into a medical device and reprogram the device to do whatever they want" -- including changing drug dosage or causing the device to produce inaccurate readings -- and "you'd never be able to detect it."
The DHS Industrial Control Systems-Cyber Emergency Response Team noted that the researchers found vulnerabilities that "could be exploited to potentially change critical settings and/or modify device firmware."
ICS-CERT said it is working with FDA to address the issue (Kolbasuk McGee, GovInfoSecurity, 6/20).
Details of FDA Guidance
The findings came on the same day that FDA released draft guidance for medical device cybersecurity (FierceHealthIT, 6/21).
The FDA guidance recommended that medical device companies develop security controls that would:
- Limit malfunctions resulting from computer viruses; and
- Protect the confidentiality and integrity of data.
In addition, FDA officials urged device makers when they seek market approval to include plans for cyberattacks that intentionally target medical devices.
The agency separately urged hospitals to look for cybersecurity failures, which often go undetected (iHealthBeat, 6/13).