MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » Hacking: Password risk affects some 300 medical devices, says Homeland Security

Hacking: Password risk affects some 300 medical devices, says Homeland Security

By

medical device hacking

The Dept. of Homeland Security warned last month that some 300 medical devices may be vulnerable to malicious hacking thanks to manufacturers’ hard-coded default passwords. Devices at risk include external defibrillators, infusion pumps, lab and analysis equipment, ventilators and more.

The devices in question have "hard-coded" passwords that allow high-level access to the machines, designed to be used by technicians servicing the devices. The passwords are built into the software and are generally universal among all units of a particular model.

The hard-coded passwords could be used to manipulate the machines, altering critical settings or modifying the device’s firmware, according DOH’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

The agency learned of the vulnerabilities from a pair of software security experts, Billy Rios and Terry McCorkle of Cylance, who submitted a report demonstrating that the hard-coded passwords made the medical devices "remotely exploitable."

As usual, the federal agency noted that no medical device cyber-exploits have yet been reported in the real-world, so far limited to research settings. Nonetheless, the ICS-CERT is working with the FDA, medical device vendors and security researchers to mitigate the risk across all devices.

"Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration in addressing these issues," according to the agency report. "ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities."

The agency said that it has been in communication with medtech vendors, asking them to confirm the password exploit in their devices and to identify ways to mitigate the risk.

"Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and FDA for tracking and correlation against other incidents," the agency added.

Security researchers Rios and McCorkle have had brushes with medtech cybersecurity in the past. Earlier this year the duo demonstrated a hack on a a Philips(NYSE:PHG) XPER medical management system, exploiting a security flaw to "own" the machine and remotely control and modify its settings. In an interview with MassDevice.com the researchers explained how they had written 6 lines of rudimentary code to crash the hospital information system, take control and even use it as a gateway to access other devices operating on the same network.

In case you missed it

RSS From Medical Design & Outsourcing

  • iRhythm stays silent on federal grand jury subpoenas
    More than one year after receiving the first of two federal grand jury subpoenas seeking information about its products and communications with the FDA, iRhythm Technologies has said little publicly about the matter. It would have been easy to miss the San Francisco-based cardiac monitor maker’s initial disclosure last summer. iRhythm (Nasdaq:IRTC) was without a… […]
  • How Dexcom’s portfolio goes beyond highly-anticipated next-gen G7
    A lot of talk around Dexcom (Nasdaq:DXCM) in the last couple of years has centered around its next-generation G7 continuous glucose monitor. The latest iteration of the company’s CGM platform has already garnered CE mark this year and awaits FDA approval, with some expectations for that to come after the American Diabetes Association’s Scientific Sessions next month. The company also presented… […]
  • Texas power grid struggles in heat one year after record cold stopped semiconductor plants
    A heat wave in Texas took at least six power plants offline Friday with high temperatures forecasted to blaze throughout this week. A record cold snap in February 2021 took NXP Semiconductors and Samsung chip fabrication facilities offline for weeks, contributing to a global semicondcutor shortage that is still throttling medical device production. There’s no… […]
  • How Stryker includes users for product design in the digital age
    Medical device developers and manufacturers like Stryker (NYSE:SYK) are changing how they approach design as digital technology becomes more crucial. Four Stryker executives shared how the Kalamazoo, Michigan–based orthopedic device giant is thinking differently about medical product development and how health care providers and patients will ultimately use them. The DeviceTalks Boston panel of Stryker… […]
  • DermaSensor wins MedTech Innovator Mid-Stage Companies Pitch Event
    DermaSensor Inc. — the creator of a handheld, point-and-click device to quickly assess skin lesions for cancer risk — is the winner of the MedTech Innovator Mid-Stage Companies Pitch Event.  The Miami-based mid-stage company beat out 1,000 applicants, more than 20 of which competed on-site May 10–11, 2022 at DeviceTalks Boston. DermaSensor walked away with… […]
  • Steris rises on Street-beating Q4, sets fiscal 2023 guidance
    Steris (NYSE:STE) shares ticked up today on fourth-quarter financial results that came in just ahead of the consensus forecast. The infection prevention technology company — headquartered in Dublin, Ireland, and run operationally out of Mentor, Ohio — posted profits of $52.3 million, or 52¢ per share, on sales of $1.2 billion for the three months… […]
  • Lucira Health asks FDA for EUA on molecular at-home COVID/flu test
    Lucira Health (Nasdaq: LHDX) today said it has asked the FDA for an emergency use authorization (EUA) for its combination COVID-19 and flu test. Emeryville, California–based Lucira said the at-home test would be available with a prescription to test for SARS-CoV-2, Influenza A and Influenza B. The Nucleic Acid Amplification Test (NAAT) platform has a… […]
  • Device commercialization platform AcuityMD raises $31M Series A to fund R&D engineer hiring
    AcuityMD said today it has raised $31 million in Series A funding for its medical device commercialization platform. “With our new funding, we plan to double down on R&D by growing our engineering team from 15 to over 40 over the next year,” AcuityMD co-founder and CEO Michael Monovoukas said in a blog post. “We’ll… […]
  • Rockley Photonics announces $81.5M private placement
    Rockley Photonics (NYSE:RKLY) announced today that it entered into agreements for an $81.5 million private placement. Participating investors agreed to purchase $81.5 million in convertible senior secured notes (due 2026) and warrants to purchase 26.5 million Rockley ordinary shares at an exercise price of $5 per share, subject to certain anti-dilution adjustments. Warrants purchased in… […]
  • Stryker leaders talk medtech trends at DeviceTalks Boston: ‘If you’re slow, you’re going to lose’
    The first day of DeviceTalks Boston closed with a panel of Stryker (NYSE:SYK) executives discussing new tools, technologies and strategies in medtech. Digital VP Tracy Robertson, Digital, Robotics, and Enabling Technologies President Robert Cohen and Surgical Technologies VP of Digital Innovation Siddarth Satish offered their thoughts on industry trends in healthcare and at the Kalamazoo,… […]
  • Medtronic’s VC leader discusses risk, returns, strategy and an ‘ugly truth’
    A panel of medtech investors convened today for DeviceTalks Boston included David Neustaedter, VP of venture capital at Medtronic (NYSE: MDT). He’s spent 14 years in the role, including as director of venture capital at Covidien before Medtronic acquired the company. (Read more in his DeviceTalks speaker bio.) Medtronic has more than $500 million in… […]

Leave a Reply