Trove of medical devices found to have password problems

Trove of medical devices found to have password problems

Summary: Surgical devices, ventilators, defibrillators, and monitors are among the equipment at risk.


Up to 300 various medical devices from 40 vendors have been identified as vulnerable to a hard-coded password issue, and two government agencies are working to get the word out and protect against exploits.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security and the Food and Drug Administration (FDA) are warning that the vulnerability could allow attackers to change critical settings and modify firmware.

ICS-CERT said two researchers from cybersecurity vendor Cylance — Billy Rios and Terry McCorkle — first reported the vulnerability that affects medical devices with configurable embedded computer systems. Those devices include surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.

The manufacturers, while not identified, have been notified of the problems and are being asked to confirm vulnerabilities and investigate patches.

ICS-CERT and the FDA also are concerned that the vulnerabilities can act as a launch pad if the devices are networked, including via the internet and with smartphones. The FDA gave specific examples such as networked medical devices infected with malware, targeted mobile wireless devices where malware could ferret out implanted patient devices or patient data, and password theft that could eventually provide hackers with privileged access.

The FDA has also published recommendations to prevent unauthorized access to devices and/or modifications. Those include: Limiting access to trusted users via user authentication, biometrics, or smart cards rather than hard-coded passwords; protecting devices by keeping security patches current; and setting up processes to recapture device functionality even after an exploit.

In addition, the FDA said healthcare facilities should also take precautions such as restricting access to networks, checking for updates on anti-virus and firewall systems, and monitoring network activity.

There have not been any known exploits in regards to the vulnerabilities, according to the agencies.

Topics: Health, Networking, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Talk about paranoid!

    C'mon! Yes, I can see restricting access to hospital in-house networks. I work for a company whose clients all are hospitals and we see on a daily basis GROSS incompetence in routine business practices. Those are mainly because hospitals pay non-medical personnel so low, provide grossly inadequate training and overload them with so much work that things routinely "fall through the cracks" or are simply ignored because "That was LAST week. I'M concerned with NOW."

    REALISTICALLY! ... Hackers are going to attack MEDICAL EQUIPMENT? Get real!
    • It's not paranoia

      It's not paranoia. There was a case a few years back in an LA hospital where an employee accessed patient records for famous people, including then California First Lady, Maria Shriver. Then it was done with a hospital employee who was later fired and charged, with the vulnerabilities, a person could simply hack in bypassing any need for employees. A second, even scarier possibility is terrorism. They mentioned in the article that anesthesia devices and ventilators along with patient monitors were all vulnerable. Before you dismiss terrorism just because it wouldn't be a high profile "shock and awe" type event like 9/11, imagine terrorists hacking into hospitals in big cities and causing the equipment to kill the patients by shutting down a ventilator and hiding it from the patient monitor. How safe would you feel if your local hospital couldn't give even a relative guarantee for your safety from an attack?
  • Yep, much ado about nothing!

    Sheesh! Yep, Rick's right on! This is merely dweebs with nothing better to do than gin up solutions to non-existent problems. Having worked over three decades in the medical tech-rich environment, I have yet to hear of one breach of both hospital security and equipment security access that was not an inside job. An employee who already has access doesn't count. All this will do is add unneeded costs to an over-burdened medical system. Moreover, very few pieces of equipment are designed to be operated remotely. Those that are must have local, on-site approval. It would be nice if people knew a little more about that which they comment on.
    • Seriously?

      I hope you spend more time staying abreast of medical advances than you do keeping up with the reality of data breaches.

      Scroll down on this page and see what life is really like;
    • Just because its never happened before (at least so you say)...

      ...doesn't man it won't. We have seen Microsoft and many others crucified in the press for things a lot less serious than this...i.e. where no one's life is at risk.

      Three decades ago, or even a couple of years ago, devices were not networked the way they are now. And my experience with medical professionals is that security is an afterthought at best and at worst, something they actively work to get around. Like the Docs at a local hospital that had plugged in their own little wireless router, with not even WEP turned on, because they were ticked at the security measures the hospital had on its wifi and wanted an easier way to connect their iPads. Of course the hospital's IT was at fault too because they should have detected and prevented this. But security in hospitals is a joke.

      A terrorist's whole purpose is to break public confidence in its government and public institutions. If there were one...repeat just one...instance of a hospital being attacked and someone being killed, it could and probably would, cause a nation wide panic and lingering distrust of hospitals (as if we needed more reasons). So all it would take is one success on the part of terrorists.
  • right...

    So the next time you have a heart monitor/defibrilator kill you because something starts playing around with it you won't mind.

    You won't mind the next time your pill prescription gets mixed up you won't mind.

    The next time your blood test comes back claiming you have AIDS you won't mind.

    The next time your insulin pump kills you then you won't mind.

    • " won't mind"

      Well, yeah. I'm pretty sure that if her defibrillator or insulin pump kills her, she won't mind at all.
  • RE: Tablets

    Somebody forgot to tell 2/3 of the people about the "post pc" era. People that have tablets are more wealthy, another words tablets are a nice luxury to have.

    Somebody forgot to tell Ford customers "touch" is the wave of the future. Ford dropped touch because it was so unpopular. Lesson learned for those to want to receive it is not that touch stinks or has no future but that touch just for the sake of touch will be rejected.
  • Remember COMA?

    If the same hackers have access to medical records (including results of transplant tissue compatibility tests) and to hospital equipment, and someone needing a transplant has big bucks to pay for a donor, there could be a "random" death on life support just when that wealthy patient needs an organ. There is an ad on TV right now about networking of patient records and hospital machines, in which a man in "secret service" attire, and multiple clones of him, are shown in a hospital, while his voice over talks about how much better medical care can be with that company's software (assuming it is working right). The thought that such powerful software might be HIJACKED by someone who is NOT an "agent for good" makes that ad even more creepy!

    And don't forget HAL 9000 in the movie 2001.
  • hacking medical devices - quite possible means to assasination

    I don't think this is paranoia. I think a person can be hurt in an arranged accident, caused to go to a hospital, and then killed without it seeming like a murder.

    My continuous blood glucose monitor transmits to my insulin pump. My pump can communicate to my blood glucose meter. My meter connects to my computer. So far, these are all upstream information uploads. The next generation may be different.