Two researchers recently uncovered password vulnerabilities related to the firmware of about 300 medical devices, prompting the Department of Homeland Security to issue on June 13 an advisory to device manufacturers, healthcare facilities and users.
See Also: Don't Be The Next OPM: Recognizing Risk
That same day, the Food and Drug Administration issued draft guidance and a safety communication regarding medical device cybersecurity issues (see: FDA Drafts Medical Device Security Guide.
Password woes could raise serious patient safety issues by allowing unauthorized users to tamper with the devices, including potentially changing settings to, for example, increase a drug dose.
The advisory issued by DHS' Industrial Control Systems-Cyber Emergency Response Team, or ICS-CERT, states that the vulnerabilities uncovered by the researchers "could be exploited to potentially change critical settings and/or modify device firmware. Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the FDA in addressing these issues."
The Department of Homeland Security is responsible for coordinating the federal government's response to significant cybersecurity incidents affecting critical infrastructure. As part of that mission, ICS-CERT works with researchers and vendors "to encourage coordinated disclosures ... of software and hardware vulnerabilities - including medical devices - discovered in control systems through the course of analysis," a DHS spokesman says.
The advisory says ICS-CERT and the FDA have notified the affected vendors of the report and have asked them to confirm the vulnerability and identify specific mitigations. ICS-CERT and the FDA will follow up with specific advisories and information as appropriate, according to the alert.
The FDA draft guidance recommends device manufacturers document their risk analysis of cybersecurity threats and vulnerabilities as well as ways to mitigate those risks, such as through encryption. In addition, the FDA safety communication reminds healthcare providers to be on the lookout for cybersecurity issues and take steps such as updating their anti-malware software and applying operating system patches to protect their environments from risks presented by medical devices.
The two researchers - Billy Rios and Terry McCorkle - who uncovered the medical device password vulnerabilities are technical directors at Cyclance, a security vendor.
Rios and McCorkle, who have been independently investigating security issues on computing devices for a few years, earlier this year began a project that led them to discovering password vulnerabilities in the firmware of about 300 medical devices from more than three dozen manufacturers, Rios tells HealthcareInfoSecurity.
The password vulnerabilities leave the medical devices susceptible to tampering and modifications that can put patients in danger, he says. Generally, the only people with access to hardcoded passwords for medical device firmware are the vendors' service technicians.
"We found ... that backdoor passwords on these medical devices that are supposed to be only known by the vendors can be exploited," allowing unauthorized users to gain access to the devices' firmware, Rios says, declining to provide further details.
The researchers were able to exploit the backdoor passwords on a variety of devices, including defibrillators, mammography equipment, infant incubators, ventilators, lab equipment, infusion devices and patient monitors, Rios says.
"People view these products as magical devices, but they're really just computers," he says. "These products need to be updated, to be recalibrated." And the firmware passwords are generally only known to vendors' service technicians who make those adjustments, he adds.
"However, it's been common and accepted in healthcare that anyone who knows the passwords can get in [to the firmware]," Rios says. "That means an unauthorized or non-technical person can get into a medical device and reprogram the device to do whatever they want; you'd never be able to detect it." That could range from reprogramming a device to deliver a dangerous dose of drugs or radiation to a patient to having the device produce inaccurate readings, he says.
The two researchers in April delivered to DHS a spreadsheet with "300 backdoor passwords" for medical devices along with the vendor names, Rios says. "DHS immediately followed up," including coordinating with the FDA and contacting the vendors, he says, declining to name the vendors or products.
The duo conducted their testing using a few medical devices they were able to obtain from various sources. They tried "a variety of methods" to exploit the firmware passwords, "and once we figured out a methodology, it's a matter of scaling up" to exploit the passwords of a range of other devices, Rios says.
The two researchers are advocating that medical devices approved by the FDA in 2014 have a "firmware signing requirement" that would allow "only [programming] logic approved by the medical device maker to run on the device," Rios says.
A firmware signing requirement, such as a digital signature required for programming modifications to firmware, "is a cheap and easily verifiable" move to protect medical devices against hackers, malicious technicians or other users who can "easily" tamper with the devices through backdoor passwords, the researcher says. "Even $199 Nintendo [game consoles] have firmware signing requirements," he says. The signing requirements would still allow healthcare organizations to apply OS patches and anti-malware software to the medical devices as needed, he says.
The problem with adding a firmware signing requirement to medical devices is that "there are lots of legacy devices out there - that's the issue," Rios says. That's why the researchers suggest the FDA institute the requirement for medical devices approved in 2014 and beyond.
In its draft guidance, FDA states, "Manufacturers should consider cybersecurity during the design phase of the medical device, as this can result in more robust and efficient mitigation of cybersecurity risks."
The separate safety communication issued on June 13 by the FDA alerted healthcare providers to be vigilant in identifying and mitigating cybersecurity risks to medical devices.
In its own advisory, ICS-CERT "reminds healthcare facilities to perform proper impact analysis and risk assessment prior to taking defensive and protective measures" against cybersecurity threats, including those involving medical devices.
The recently released draft guidance and related alerts about medical device cybersecurity are steps in the right direction, but won't likely result in big changes right away, says Dale Nordenberg, M.D., executive director the of Medical Device Innovation, Safety and Security Consortium.
That's because many healthcare organizations aren't willing to apply OS patches or anti-viral software to medical devices without the approval of the medical device vendors because of fears about liability if something goes wrong, Nordenberg says. At the same time, the medical device makers often can't keep up with testing OS patches on their devices, he adds.
"Guidance alone may be a call to action, but the market can really accelerate best security practices for medical devices," Nordenberg says.
In another step aimed at improving the tracking of safety and security issues involving medical devices, the FDA has submitted its final rule for a unique identifier system for medical devices to the Office of Management and Budget for review (see: Medical Device ID Proposal Unveiled).
"Like all of our other post-market surveillance efforts, I expect UDI will help to identify signals and trends with cybersecurity issues," says Jay Crowley, FDA senior advisor for patient safety.
"I expect UDI will make it easier for healthcare providers and hospitals to report suspected cybersecurity problems to medical device makers and the FDA."