Medical Equipment Highly Vulnerable to Intruders
Patients using medical gear such as pacemakers, heart defibrillators and insulin dispensers could become moving targets for cyber-criminals, according to a federal note issued by the US Department of Homeland Security.
Modern medical devices are miniatures of their predecessors and allow wireless programming and control to minimize maintenance, which would otherwise require cables sticking out of the patient’s body. However, these devices often come with hard-coded login credentials and could be accessed and controlled remotely by unscrupulous individuals near the patient.
The incident has been discovered by researchers Billy Rios and Terry McCorkle of Cylance and is reportedly affecting 300 medical devices manufactured by 40 medical equipment vendors.
“The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks,” reads a similar note by the Food and Drug Administration yesterday.
Implanted medical devices have been around for decades and never posed a real threat for the patient until wireless technologies gained traction. These vulnerabilities became known in 2008, but most vendors haven’t implemented secure authentication to keep the devices as simple as possible.