• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Advertise
  • Subscribe

MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

  • Latest News
  • Technologies
    • Artificial Intelligence (AI)
    • Cardiovascular
    • Orthopedics
    • Neurological
    • Diabetes
    • Surgical Robotics
  • Business & Finance
    • Wall Street Beat
    • Earnings Reports
    • Funding Roundup
    • Mergers & Acquisitions
    • Initial Public Offering (IPO)
    • Legal News
    • Personnel Moves
    • Medtech 100 Stock Index
  • Regulatory & Compliance
    • Food & Drug Administration (FDA)
    • Recalls
    • 510(k)
    • Pre-Market Approval (PMA)
    • MDSAP
    • Clinical Trials
  • Special Content
    • Special Reports
    • In-Depth Coverage
    • DeviceTalks
  • Podcasts
    • MassDevice Fast Five
    • DeviceTalks Weekly
    • OEM Talks
      • AbbottTalks
      • Boston ScientificTalks
      • DeviceTalks AI
      • IntuitiveTalks
      • MedtechWOMEN Talks
      • MedtronicTalks
      • Neuro Innovation Talks
      • Ortho Innovation Talks
      • Structural Heart Talks
      • StrykerTalks
  • Resources
    • About MassDevice
    • DeviceTalks
    • Newsletter Signup
    • Leadership in Medtech
    • Manufacturers & Suppliers Search
    • MedTech100 Index
    • Videos
    • Webinars
    • Whitepapers
    • Voices
Home » Hacking: Password risk affects some 300 medical devices, says Homeland Security

Hacking: Password risk affects some 300 medical devices, says Homeland Security

July 5, 2013 By Arezu Sarvestani

medical device hacking

The Dept. of Homeland Security warned last month that some 300 medical devices may be vulnerable to malicious hacking thanks to manufacturers’ hard-coded default passwords. Devices at risk include external defibrillators, infusion pumps, lab and analysis equipment, ventilators and more.

The devices in question have "hard-coded" passwords that allow high-level access to the machines, designed to be used by technicians servicing the devices. The passwords are built into the software and are generally universal among all units of a particular model.

The hard-coded passwords could be used to manipulate the machines, altering critical settings or modifying the device’s firmware, according DOH’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

The agency learned of the vulnerabilities from a pair of software security experts, Billy Rios and Terry McCorkle of Cylance, who submitted a report demonstrating that the hard-coded passwords made the medical devices "remotely exploitable."

As usual, the federal agency noted that no medical device cyber-exploits have yet been reported in the real-world, so far limited to research settings. Nonetheless, the ICS-CERT is working with the FDA, medical device vendors and security researchers to mitigate the risk across all devices.

"Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration in addressing these issues," according to the agency report. "ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities."

The agency said that it has been in communication with medtech vendors, asking them to confirm the password exploit in their devices and to identify ways to mitigate the risk.

"Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and FDA for tracking and correlation against other incidents," the agency added.

Security researchers Rios and McCorkle have had brushes with medtech cybersecurity in the past. Earlier this year the duo demonstrated a hack on a a Philips(NYSE:PHG) XPER medical management system, exploiting a security flaw to "own" the machine and remotely control and modify its settings. In an interview with MassDevice.com the researchers explained how they had written 6 lines of rudimentary code to crash the hospital information system, take control and even use it as a gateway to access other devices operating on the same network.

Filed Under: News Well Tagged With: Cybersecurity, Cylance, Dept. of Homeland Security, Patient Safety

More recent news

  • Zynex submits laser pulse oximeter to FDA
  • Roche invests $550M to make Indianapolis a CGM manufacturing hub
  • Product liability lawsuits target Medtronic, Boston Scientific spinal cord stim tech
  • GE HealthCare launches new MRI scanner
  • HistoSonics earns first major reimbursement win for non-invasive histotripsy

Primary Sidebar

“md
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest med device regulatory, business and technology news.

DeviceTalks Weekly

See More >

MEDTECH 100 Stock INDEX

Medtech 100 logo
Market Summary > Current Price
The MedTech 100 is a financial index calculated using the BIG100 companies covered in Medical Design and Outsourcing.
MDO ad

Footer

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing
Medical Tubing + Extrusion
Drug Discovery & Development
Pharmaceutical Processing World
MedTech 100 Index
R&D World
Medical Design Sourcing

DeviceTalks Webinars, Podcasts, & Discussions

Attend our Monthly Webinars
Listen to our Weekly Podcasts
Join our DeviceTalks Tuesdays Discussion

MASSDEVICE

Subscribe to MassDevice E-Newsletter
Advertise with us
About
Contact us

Copyright © 2025 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy