A recent analysis of medical device cybersecurity tests shows that these devices are vulnerable to fairly straightforward hacking techniques, an increasingly serious concern as device security is directly tied to patient health and safety.
Cybersecurity firm SecureState conducted penetration tests on hospitals to reveal the top hacking vulnerabilities for medical devices such as IV pumps and X-ray machines, finding that medical devices are susceptible to fairly rudimentary hacks.
The chart-topping threat was a "denial of service," a hacking technique that overloads a target with requests and causes the server to crash, suspending internet connection. Earlier this year a pair of security researchers used a denial-of-service hack to demonstrate that a Philips(NYSE:PHG) Xper hospital management system could be infiltrated and “owned" fairly easily.
Because medical devices are more delicate than computers, they are more susceptible to denial-of-service hacks, SecureState researchers said. These attacks could seriously harm patients if the devices are disabled for too long.
Other uncovered vulnerabilities were password related, such as weak default passwords, "back-door" passwords pre-set by the manufacturer or web-enabled devices linked to a non-secure network without password prompts.
In addition, SecureState cited problems with Windows and Linux operating systems, which are often behind on software updates or running software so old it’s no longer supported by Microsoft. Missing security patches leave easy cracks for hackers to gain access to a device.
Another problem for WiFi connected devices come from certain traffic management interfaces using unencrypted systems to remotely administer or operate a device. Hackers observing the traffic could hijack a connection to alter device instructions or obtain patient information.
In 2008 medtech security researcher Kevin Fu originally uncovered security vulnerabilities in a Medtronic (NYSE:MDT) pacemaker, using unencrypted traffic between the device and its controller to reverse-engineer the code and control its shocking capabilities.
In the new analysis, SecureState called recent FDA guidance addressing the problem "too high level to be useful," according a company blog written by Matthew Neely. In the guidance, released earlier this month, the FDA asked companies to include an extra layer of review for device security before putting products on the market, stopping short of recommending any specific security measures.