Password problems plague plethora of med devices

Roughly 300 medical devices from 40 vendors were found to have password vulnerability problems, according to an alert recently issued by the Department of Homeland Security.

The vulnerabilities, GovInfoSecurity reported, were discovered by a pair of researchers working for Irvine, Calif.-based security vendor Cyclance. One of those researchers--Billy Rios--told GovInfoSecurity that that he and his colleague found the vulnerabilities in "backdoor passwords" typically only known to vendors.

"[I]t's been common and accepted in healthcare that anyone who knows the passwords can get in [to the firmware]," Rios told GovInfoSecurity. "That means an unauthorized or non-technical person can get into a medical device and reprogram the device to do whatever they want; you'd never be able to detect it at all."

On the same day the alert was issued, the U.S. Food and Drug Administration published guidance calling for developers and healthcare facilities to beef up security efforts while creating and using medical devices. A Government Accountability Office report published last summer called on FDA to pay more attention to the information security risks for implantable electronic medical devices such as heart defibrillators and insulin pumps.

Rios, according to GovInfoSecurity, recommended that all medical devices approved by the FDA starting next year have a "firmware signing requirement" in place to ensure that only the device makers themselves could alter programming logic.

To learn more:
- here's the alert
- read the GovInfoSecurity article

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses, test results…

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.