June 14, 2013
Medical Devices Could Face Cyber Threats, Warns FDA
Michael Harper for redOrbit.com — Your Universe Online
The conversation of cyber security has largely focused on the issue of protecting national security and the private sector. Without proper preventive measures in place, hackers, spies and terrorists could inflict great harm upon our businesses and critical infrastructures. Now the FDA is trying to bring medical device makers into the conversation, asking them to upgrade their devices and systems to prevent dangerous attacks against the nation´s medical centers.
"Over the past year, we've become increasingly aware of cyber security vulnerabilities in incidents that have been reported to us," William Maisel, the deputy director for science with the FDA´s Center for Devices and Radiological Health, said in an interview with Reuters.
"Hundreds of medical devices have been affected, involving dozens of manufacturers.” Maisel even said the FDA has found many reports of medical devices which have been infected with malware.
One of the groups sending in vulnerability reports to the FDA was able to find passwords for medical equipment, including anesthesia and surgical equipment and even patient monitors. Security Analysts Billy Rios and Terry McCorkle set out to test the strength of this medical equipment and reported having an easier time of cracking these codes than should have been.
In a statement to the Washington Post, Rios explained: “We stopped after we got to 300.”
Rios and McCorkle may have been able to crack hundreds of passwords, but Maisel believes the amount of malware-infected devices may be unintentional due to a vulnerable infrastructure and weak security practices.
If one health official happens to bring in a computer virus from their home via a thumb drive or visits an infected website, this malware can spread quickly throughout the medical center´s network. Once here, it´s not difficult to spread into individual devices.
“There´s almost no medical device that doesn´t have a network jack on the back,” said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston, speaking to the Washington Post.
“To fight the evils of the Internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows,” he said.
Passwords can be a major first step in locking down these critical networks and sensitive devices.
According to Rios, many of the devices he and McCorkle were able to hack into were only protected with default passwords, making the task of cracking these codes too easy for the security analysts. A motivated hacker, said Rios, could do some serious damage on such an unsecured system.
"Somebody could take over the device and make it do whatever they want it to do and it would be almost impossible for hospital staff to know that it had been tampered with," said Rios.
The FDA admitted on Thursday they were not aware of any patient deaths or injuries as a result of cyber security breaches, yet as wireless and Internet technology becomes more prevalent in hospitals, the FDA is asking device makers to begin reviewing their cyber security practices and begin using safeguards when designing their products.