Homeland Security Warns About Safety of 300 Medical Devices

TOPIC ALERT:

Password vulnerabilities within 300 medical devices from 40 vendors have been discovered by a pair of researchers from security vendor Cyclance, according to a recently issued Department of Homeland Security alert, FierceHealthIT reports (Bowman, FierceHealthIT, 6/21).

Background

Experts have warned that the health care sector is among the industries most vulnerable to hacking and cyberattacks. An August 2012 report from the Government Accountability Office found that some medical devices -- such as defibrillators and insulin pumps -- are vulnerable to hacking (iHealthBeat, 6/13).

Details of the DHS Alert

Billy Rios and Terry McCorkle -- technical directors at Cyclance -- found exposed "backdoor passwords" on medical devices, such as:

  • Defibrillators;
  • Mammography equipment;
  • Infant incubators;
  • Ventilators;
  • Lab equipment;
  • Infusion devices; and
  • Patient monitors.

Rios said an "unauthorized and non-technical person can get into a medical device and reprogram the device to do whatever they want" -- including changing drug dosage or causing the device to produce inaccurate readings -- and "you'd never be able to detect it."

The DHS Industrial Control Systems-Cyber Emergency Response Team noted that the researchers found vulnerabilities that "could be exploited to potentially change critical settings and/or modify device firmware."

ICS-CERT said it is working with FDA to address the issue (Kolbasuk McGee, GovInfoSecurity, 6/20).

Details of FDA Guidance

The findings came on the same day that FDA released draft guidance for medical device cybersecurity (FierceHealthIT, 6/21).

The FDA guidance recommended that medical device companies develop security controls that would:

  • Limit malfunctions resulting from computer viruses; and
  • Protect the confidentiality and integrity of data.

In addition, FDA officials urged device makers when they seek market approval to include plans for cyberattacks that intentionally target medical devices.

The agency separately urged hospitals to look for cybersecurity failures, which often go undetected (iHealthBeat, 6/13).

James Taylor
Two common principles of computer security should be applied, which are not mentioned in the GAO and FDA reports. - physical security. If the bad guy has physical access to the device data and program security is difficult or impossible. Denial of service attack is no more difficult than having the space to swing a hammer. Once an engineer can "pop the top" reprogramming is an exercise that takes only patience. - least vulnerability. Reprogramming ICDs or insulin pumps from a distance is frightening. But getting and using a gun is (much) easier and simpler. Don't protect against the difficult and ignore the simple. Fears related to individual devices is pointless politics (and PhD fodder). Real data vulnerabilities are those which effect devices en mass; with the addition of networking, allowing programmatic attack; or at point of manufacture, devices accessible through vulnerable manufacturing processes. Note: the FDA is working toward requiring network device event mo

to share your thoughts on this article.