Roughly 300 medical devices from 40 vendors were found to have password vulnerability problems, according to an alert recently issued by the Department of Homeland Security.
The vulnerabilities, GovInfoSecurity reported, were discovered by a pair of researchers working for Irvine, Calif.-based security vendor Cyclance. One of those researchers--Billy Rios--told GovInfoSecurity that that he and his colleague found the vulnerabilities in "backdoor passwords" typically only known to vendors.
"[I]t's been common and accepted in healthcare that anyone who knows the passwords can get in [to the firmware]," Rios told GovInfoSecurity. "That means an unauthorized or non-technical person can get into a medical device and reprogram the device to do whatever they want; you'd never be able to detect it at all."
On the same day the alert was issued, the U.S. Food and Drug Administration published guidance calling for developers and healthcare facilities to beef up security efforts while creating and using medical devices. A Government Accountability Office report published last summer called on FDA to pay more attention to the information security risks for implantable electronic medical devices such as heart defibrillators and insulin pumps.
Rios, according to GovInfoSecurity, recommended that all medical devices approved by the FDA starting next year have a "firmware signing requirement" in place to ensure that only the device makers themselves could alter programming logic.