Healthcare News & Insights

Warning: 300 medical devices vulnerable to attacks

Recently, observers have warned that medical devices may be open to IT security attacks. And now, the Department of Homeland Security has released a warning that roughly 300 devices may contain a serious vulnerability. 

monitorSecurity researchers have recently demonstrated the possibility of IT security attacks targeting medical devices. For example:

  • At a conference in 2011, one security researcher demonstrated an attack that could change the settings of an insulin pump without the user’s knowledge. He also found a way an attack could eavesdrop on transmissions from a glucose monitor.
  • The Department of Veterans’ Affairs conducted a study of malware infections and found 142 separate instances of malware affecting 207 medical devices between January 2009 and December 2011.
  • Researchers from Harvard Medical School, Beth Israel Deaconess Medical Center in Boston and the University of Massachusetts Amherst found that while the FDA keeps track of a lot of devices problems including labeling errors, battery problems and sterility issues, IT security problems are under-reported.

Hackers can access medical devices in order to steal data they contain or transmit, or to use devices as a back door into a hospital’s wider network.

Unfortunately, attacks such as those may not be that difficult, according to a recent alert published by the DHS’s Cyber Emergency Response Team.

Roughly 300 devices from 40 vendors may contain a password vulnerability problem, according to researchers from security firm Cyclance. The affected devices contain a feature that allows access to the device’s firmware through a so-called “backdoor password” that is typically known only to the vendor. However, if unauthorized people somehow got ahold of one of those passwords, they could use it to change settings or find data.

The equipment that might be vulnerable includes surgical and anesthesia devices, ventilators, defibrillators, patient monitors, and laboratory and analysis equipment.

What hospitals can do now

The researchers said they’ve notified vendors to confirm the vulnerabilities exist and to work on solutions. In the meantime, the alert recommends healthcare providers:

  • Restrict unauthorized access to the network and networked medical devices
  • Make sure firewalls and antivirus programs are up to date
  • Monitor networks for suspicious or unauthorized activity
  • Conduct period security audits and make sure all software and device firmware is patched and up to date, and
  • Notify vendors if a possible security problem is found with a device.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind