MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » Hacking: Password risk affects some 300 medical devices, says Homeland Security

Hacking: Password risk affects some 300 medical devices, says Homeland Security

By

medical device hacking

The Dept. of Homeland Security warned last month that some 300 medical devices may be vulnerable to malicious hacking thanks to manufacturers’ hard-coded default passwords. Devices at risk include external defibrillators, infusion pumps, lab and analysis equipment, ventilators and more.

The devices in question have "hard-coded" passwords that allow high-level access to the machines, designed to be used by technicians servicing the devices. The passwords are built into the software and are generally universal among all units of a particular model.

The hard-coded passwords could be used to manipulate the machines, altering critical settings or modifying the device’s firmware, according DOH’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

The agency learned of the vulnerabilities from a pair of software security experts, Billy Rios and Terry McCorkle of Cylance, who submitted a report demonstrating that the hard-coded passwords made the medical devices "remotely exploitable."

As usual, the federal agency noted that no medical device cyber-exploits have yet been reported in the real-world, so far limited to research settings. Nonetheless, the ICS-CERT is working with the FDA, medical device vendors and security researchers to mitigate the risk across all devices.

"Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration in addressing these issues," according to the agency report. "ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities."

The agency said that it has been in communication with medtech vendors, asking them to confirm the password exploit in their devices and to identify ways to mitigate the risk.

"Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and FDA for tracking and correlation against other incidents," the agency added.

Security researchers Rios and McCorkle have had brushes with medtech cybersecurity in the past. Earlier this year the duo demonstrated a hack on a a Philips(NYSE:PHG) XPER medical management system, exploiting a security flaw to "own" the machine and remotely control and modify its settings. In an interview with MassDevice.com the researchers explained how they had written 6 lines of rudimentary code to crash the hospital information system, take control and even use it as a gateway to access other devices operating on the same network.

In case you missed it

RSS From Medical Design & Outsourcing

  • These medtech stocks performed the best in 2020
    While 2020 did not go as planned for anyone, with the twists and turns came opportunities for medtech companies to power forward. Innovations came both as a result of the COVID-19 pandemic and perhaps in spite of the challenges brought on by the virus, highlighted by the increased efforts to produce vaccines and testing while… […]
  • Covestro tests plastics against high-strength hospital disinfectants
    Covestro announced that it recently teamed with disinfectant manufacturer Metrex to test six different Covestro polycarbonate materials against three of Metrex’s products, which are widely used throughout the healthcare industry. As is customary for rapidly assessing the compatibility of plastics to disinfectants, test specimens were pre-strained and underwent several wipe-and-dry cycles with Metrex disinfectants to… […]
  • Integer expands N.Y. battery plant
    Integer announced today that it recently broke ground on an expansion of its Alden, N.Y., facility to accommodate new equipment that will substantially increase the plant’s production capacity for rechargeable Xcellion lithium-ion batteries. The project kicked off in mid-December 2020 and will add both production equipment and a build-out of Integer’s existing facility. The company… […]
  • Diversified Plastics adds high-efficiency vertical presses
    Diversified Plastics (DPI) announced that it recently installed six all-electric vertical injection molding presses. These presses will join DPI’s existing assemblage of vertical presses and provide increased production capacity to meet growing demand from medical device and other original equipment manufacturers (OEMs). DPI uses vertical presses for over-molding and insert-molding, capabilities often required for medical… […]
  • Traco Power expands power supply line for portable medical equipment
    Traco Power announced that it has expanded its TPP 450 high-density 3×5 power supply series. The series now offers Protection Class II models (TPP 450BA-M Open-Frame Models and TPP 450B-M Enclosed with Fan Models), designed for non-stationary requirements where connection to ground is not possible. Key approvals on the original series remain on the expanded… […]
  • Reflow Medical launches low-profile reinforced support catheters
    Reflow Medical today announced it has launched its Reflow Spex Low Profile reinforced support catheters. The Spex LP catheters are designed to provide the lowest profile tip to access and cross the tightest and most complex lesions with a supportive system. They come in 0.014 in. and 0.018 in. sizes and can be combined with… […]
  • Former CDER head Woodcock to lead FDA for now
    FDA veteran Dr. Janet Woodcock has been tapped as interim FDA commissioner by the Biden administration, according to published reports. An article by BioCentury also said that former FDA commissioner David Kessler, who had been mentioned as a possible replacement for current commissioner Stephen Hahn, will be a consultant to the agency but will not… […]
  • What’s next for the FDA and for Stephen Hahn?
    Outgoing FDA commissioner Stephen Hahn says he needs some time to reflect on his future after leading the FDA for a little over a year. It’s hard to blame him. Hahn’s brief tenure at FDA has been rocky, to say the least. (News of his temporary replacement broke on Thursday, when the incoming Biden administration… […]
  • Medicare to cover breakthrough devices
    FDA-designated breakthrough devices will have Medicare coverage the same day they are approved, under a final rule issued this week by the Centers for Medicare and Medicaid Services (CMS). The Medicare Coverage of Innovative Technology (MCIT) rule will provide national Medicare coverage as early as the same day as FDA market authorization for breakthrough devices… […]
  • FDA debuts plan for AI-based Software as a Medical Device
    The FDA today released its first plan to regulate artificial intelligence/machine learning (AI/ML)-based Software as a Medical Device (SaMD). The plan is a response to feedback received from the agency’s April 2019 discussion paper, “Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning-Based Software as a Medical Device.” It outlines five actions that the FDA… […]
  • EU allows remote audits for medical devices during pandemic
    The European Union has announced that it will temporarily allow remote audits of medical devices and in vitro diagnostics under the new regulations (MDR IVDR), set to go into effect on May 2021 and 2022 respectively. In a document published Monday, the European Commission agreed with industry and notified bodies that the ongoing COVID-19 pandemic… […]

Leave a Reply