Approximately 300 different surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment have been found to have hard-coded passwords – a fact that can be taken advantage of by malicious actors to change devices’ critical settings or even modify their firmware.
The discovery of this vulnerability has been made public by ICS-CERT and the U.S. Food and Drug Administration (FDA), both of whom issued alerts, but assured that there is no indication that such attacks have ben already spotted in the wild.
They have, understandably, not shared the names of the manufacturers and the devices that have been found to be affected by the flaw.
“ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations,” confirmed the former organization, adding that both orgs will follow up with specific advisories and information as appropriate.
In the meantime, health care facilities have been urged to evaluate their network security and protect their hospital system by restricting unauthorized access to the network and networked medical devices, keeping antivirus software and firewalls up-to-date, monitoring network activity for unauthorized use, protecting individual network components through routine and periodic evaluation, developing and evaluating strategies to maintain critical functionality during adverse conditions, and contacting the specific device manufacturer if they think they may have a cybersecurity problem related to a medical device.
“Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates,” pointed out the FDA.