MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » Hacking: Password risk affects some 300 medical devices, says Homeland Security

Hacking: Password risk affects some 300 medical devices, says Homeland Security

By

medical device hacking

The Dept. of Homeland Security warned last month that some 300 medical devices may be vulnerable to malicious hacking thanks to manufacturers’ hard-coded default passwords. Devices at risk include external defibrillators, infusion pumps, lab and analysis equipment, ventilators and more.

The devices in question have "hard-coded" passwords that allow high-level access to the machines, designed to be used by technicians servicing the devices. The passwords are built into the software and are generally universal among all units of a particular model.

The hard-coded passwords could be used to manipulate the machines, altering critical settings or modifying the device’s firmware, according DOH’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

The agency learned of the vulnerabilities from a pair of software security experts, Billy Rios and Terry McCorkle of Cylance, who submitted a report demonstrating that the hard-coded passwords made the medical devices "remotely exploitable."

As usual, the federal agency noted that no medical device cyber-exploits have yet been reported in the real-world, so far limited to research settings. Nonetheless, the ICS-CERT is working with the FDA, medical device vendors and security researchers to mitigate the risk across all devices.

"Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration in addressing these issues," according to the agency report. "ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities."

The agency said that it has been in communication with medtech vendors, asking them to confirm the password exploit in their devices and to identify ways to mitigate the risk.

"Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and FDA for tracking and correlation against other incidents," the agency added.

Security researchers Rios and McCorkle have had brushes with medtech cybersecurity in the past. Earlier this year the duo demonstrated a hack on a a Philips(NYSE:PHG) XPER medical management system, exploiting a security flaw to "own" the machine and remotely control and modify its settings. In an interview with MassDevice.com the researchers explained how they had written 6 lines of rudimentary code to crash the hospital information system, take control and even use it as a gateway to access other devices operating on the same network.

In case you missed it

RSS From Medical Design & Outsourcing

  • Download COMSOL News Special Edition Biomedical
    Get instant access to this special edition of COMSOL News where you will read user stories that showcases how simulation enables engineers, researchers, and scientists explore and analyze biomedical designs. Download Now.       The post Download COMSOL News Special Edition Biomedical appeared first on Medical Design and Outsourcing.
  • Qosina adds new tube-to-tube barb connectors
    Qosina has added 25 new tube-to-tube barb connectors to its portfolio, the OEM single-use component supplier for the medical and pharmaceutical industries said this week. Ronkonkoma, New York-based Qosina said its inventory of tube-to-tube barb connectors is available in more than 500 configurations. The connectors can fit inner tube diameters between 1/32 in and 1… […]
  • Abbott imaging catheter recall flagged as Class I by FDA
    The FDA has identified the Abbott (NYSE:ABT) recall of its Dragonfly OpStar Imaging Catheter as a Class I recall. That’s the most serious level of a medical device recall, carrying the risk of serious injury or death. Five incidents, one injury and zero deaths were reported when Abbott initiated the recall on April 11. The… […]
  • Zimmer Biomet adds ESG and CEO visibility to executive’s duties
    Zimmer Biomet (NYSE:ZBH) today announced additional responsibilities for Investor Relations SVP and Chief Communications Officer Keri Mattox. Mattox’s new title at the Warsaw, Indiana-based orthopedics company is chief communications and administration officer. She will be responsible for “building and executing a comprehensive strategy around Environmental, Social and Governance (ESG) initiatives and increasing CEO visibility, engagement… […]
  • ‘Catastrophic explosion’ and resin shortage led Medtronic’s supply chain problems
    Medtronic CEO Geoff Martha today said a “catastrophic explosion” in Medtronic’s supply chain for packaging and a shortage of resins were the biggest issues hurting the company’s fourth-quarter performance. Fridley, Minnesota-based Medtronic (NYSE:MDT) reported about $350 million less in sales than analysts were expecting for the quarter, which ended April 29. Martha said about 75%… […]
  • 3M Health Care Business president is leaving this year
    3M Health Care Business Group President Mojdeh Poul will retire from the company on July 1, 2022. Poul joined Maplewood, Minnesota-based 3M (NYSE:MMM) in 2011 as the global business VP of critical and chronic care solutions. She later became VP and general manager of the company’s food safety business and president of numerous 3M divisions,… […]
  • Iterative Scopes announces positive data in Skout AI colonoscopy algorithm clinical trial
    Iterative Scopes this week announced positive trial data in a study of its colorectal cancer screening algorithm, Skout. Cambridge, Massachusetts-based Iterative Scopes designed Skout as a computer-aided device (CADe) that uses artificial intelligence and computer vision technology to detect suspicious tissue and provide real-time feedback for gastroenterologists performing the procedure. Get the full story on… […]
  • Device developer SeaStar Medical hires chief medical officer
    SeaStar Medical has hired Dr. Kevin Chung as chief medical officer of the medtech developer starting July 1. Denver-based SeaStar is developing a platform therapy focused on hyperinflammation of vital organs. The company’s Selective Cytopheretic Device was designated as a breakthrough device by the FDA earlier this year. SeaStar is set to go public in… […]
  • Varta presents microbattery product portfolio at Computex 2022
    Varta will present its broad product portfolio of microbatteries, which make a wide range of future-proof applications possible, at Computex in Taipei starting today. Varta’s microbattery product portfolio ranges from rechargeable lithium-ion button cells to nickel metal hydride button cells, primary silver oxide cells, primary lithium button cells and cylindrical lithium batteries to hydrogen gas… […]
  • Entegris opens Life Sciences Technology Center in Massachusetts
    Entegris (Nasdaq:ENTG) announced today that it opened a new Life Sciences Technology Center in Billerica, Massachusetts. The new Life Sciences Technology Center was built to offer life sciences customers the opportunity to leverage Entegris’ cold-chain supply expertise to optimize processes, reduce costs and increase speed to market. Get the full story at our sister site,… […]
  • MedAcuity hires SVP of business development
    Medtech software development firm MedAcuity today said it has hired Simon Johnson as SVP of business development. Westford, Massachusetts-based MedAcuity said Johnson previously built the client partner team and managed strategic clients at digital consultancy Mobiquity. He also served as SVP of client services at GreenPages Technologies, responsible for driving services revenue growth leading to… […]

Leave a Reply