Unauthorised access to medical devices possible due to password vulnerability, warns US cyber security body

Out-Law News | 14 Jun 2013 | 4:00 pm | 1 min. read

Hundreds of medical devices could be accessed by hackers because of a password vulnerability, a US government agency has warned.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that two US researchers had identified that approximately 300 medical devices, including patient monitors, ventilators, drug infusion pumps, surgical and anaesthesia devices, external defibrillators and laboratory and analysis equipment, contain weaknesses in password security.

ICS-CERT forms part of the US' Department for Homeland Security and conducts tests and analysis of security risks to US critical infrastructure. It said that vulnerability was identified in devices made by approximately 40 different manufacturers.

"The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician," ICS-CERT said in an alert it has issued. "In some devices, this access could allow critical settings or the device firmware to be modified."

"ICS-CERT and the FDA (US Food and Drug Administration) are not aware that this vulnerability has been exploited, nor are they aware of any patient injuries resulting from this potential cybersecurity vulnerability," it added.

ICS-CERT said both it and the FDA - a public health body responsible for regulating medical devices in the US - are working with manufacturers "to identify specific mitigations across all devices" thought to possess the vulnerability. It called on device manufactures, healthcare providers and users of the devices to "take proactive measures" to reduce the risk that security weaknesses in devices could be exploited.

The FDA has said that access to devices, particularly those that are "life-sustaining" or which can be "directly connected to hospital networks", should be limited to "trusted users". It called on passwords to be strengthened, such as by requiring biometric information as part of the user authentication process, and also called for security updates to be deployed on a "timely" basis in order to prevent the various components of devices from being exploited.

"The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity," the ICS-CERT alert said.

Device manufacturers should also ensure that 'fail-safe modes' are built-in during the design stage to ensure that the "critical functionality" of devices can be maintained where the security of the product has been compromised, the FDA's recommendations said.

The FDA also called on hospitals to "evaluate [their] ... network security" and protect their systems, such as by restricting unauthorised access to their "network and networked medical devices". Among the other measures hospitals could take include monitoring for the unauthorised use of networks, conducting "routine and periodic" reviews on network components and updating security, and ensuring "appropriate antivirus software and firewalls are up-to-date", it said.