Medical Device Vulnerability Alert Issued

Homeland Security Warns of Password Problems

By , June 20, 2013.
Medical Device Vulnerability Alert Issued

Two researchers recently uncovered password vulnerabilities related to the firmware of about 300 medical devices, prompting the Department of Homeland Security to issue on June 13 an advisory to device manufacturers, healthcare facilities and users.

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

That same day, the Food and Drug Administration issued draft guidance and a safety communication regarding medical device cybersecurity issues (see: FDA Drafts Medical Device Security Guide.

Password woes could raise serious patient safety issues by allowing unauthorized users to tamper with the devices, including potentially changing settings to, for example, increase a drug dose.

The advisory issued by DHS' Industrial Control Systems-Cyber Emergency Response Team, or ICS-CERT, states that the vulnerabilities uncovered by the researchers "could be exploited to potentially change critical settings and/or modify device firmware. Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the FDA in addressing these issues."

The Department of Homeland Security is responsible for coordinating the federal government's response to significant cybersecurity incidents affecting critical infrastructure. As part of that mission, ICS-CERT works with researchers and vendors "to encourage coordinated disclosures ... of software and hardware vulnerabilities - including medical devices - discovered in control systems through the course of analysis," a DHS spokesman says.

The advisory says ICS-CERT and the FDA have notified the affected vendors of the report and have asked them to confirm the vulnerability and identify specific mitigations. ICS-CERT and the FDA will follow up with specific advisories and information as appropriate, according to the alert.

The FDA draft guidance recommends device manufacturers document their risk analysis of cybersecurity threats and vulnerabilities as well as ways to mitigate those risks, such as through encryption. In addition, the FDA safety communication reminds healthcare providers to be on the lookout for cybersecurity issues and take steps such as updating their anti-malware software and applying operating system patches to protect their environments from risks presented by medical devices.

Password Risks

The two researchers - Billy Rios and Terry McCorkle - who uncovered the medical device password vulnerabilities are technical directors at Cyclance, a security vendor.

Rios and McCorkle, who have been independently investigating security issues on computing devices for a few years, earlier this year began a project that led them to discovering password vulnerabilities in the firmware of about 300 medical devices from more than three dozen manufacturers, Rios tells HealthcareInfoSecurity.

The password vulnerabilities leave the medical devices susceptible to tampering and modifications that can put patients in danger, he says. Generally, the only people with access to hardcoded passwords for medical device firmware are the vendors' service technicians.

"We found ... that backdoor passwords on these medical devices that are supposed to be only known by the vendors can be exploited," allowing unauthorized users to gain access to the devices' firmware, Rios says, declining to provide further details.

The researchers were able to exploit the backdoor passwords on a variety of devices, including defibrillators, mammography equipment, infant incubators, ventilators, lab equipment, infusion devices and patient monitors, Rios says.

"People view these products as magical devices, but they're really just computers," he says. "These products need to be updated, to be recalibrated." And the firmware passwords are generally only known to vendors' service technicians who make those adjustments, he adds.

"However, it's been common and accepted in healthcare that anyone who knows the passwords can get in [to the firmware]," Rios says. "That means an unauthorized or non-technical person can get into a medical device and reprogram the device to do whatever they want; you'd never be able to detect it." That could range from reprogramming a device to deliver a dangerous dose of drugs or radiation to a patient to having the device produce inaccurate readings, he says.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI: Retailer Security Failures

Troy Leach of the PCI Security Standards Council says data security standards are not failing; they...

Latest Tweets and Mentions

ARTICLE PCI: Retailer Security Failures

Troy Leach of the PCI Security Standards Council says data security standards are not failing; they...

The ISMG Network