Password Vulnerabilities in Medical Devices

DHSA recent alert from the Department of Homeland Security warns that approximately 300 medical devices from 40 different vendors contain hard-coded passwords.  Billy Rios and Terry McCorkle, technical directors and researchers at security vendor Cylance, discovered the “backdoor passwords” in devices such as patient monitors, ventilators, defibrillators, infant incubators, and lab equipment.  Some of the devices can be interfaced with EMR software such as Lytec MD or Medisoft Clinical.

Patient safety could be seriously jeopardized by the vulnerable passwords, which “could be exploited to potentially change critical settings and/or modify device firmware.  Because of the critical and unique status that medical devices occupy, ICS-CERT (DHS’ Industrial Control Systems-Cyber Emergency Response Team) has been working in close cooperation with the FDA in addressing these issues.”  Coincidentally, the Food and Drug Administration released its own safety communication and draft guidance regarding medical device cybersecurity on the same day that DHS’ ICS-ALERT-13-164-01 was issued.

Rios noted that anyone with access to the hard-coded passwords “can get into a medical device and reprogram the device to do whatever they want; you’d never be able to detect it at all.”  Some of the devices can even be exploited remotely.  Drug or radiation doses could be altered, or false readings could be produced, potentially putting patients in harm’s way.  Rios and McCorkle obtained some medical devices for testing, and provided the “backdoor passwords” to the DHS, with the medical devices and their vendors’ names.  Those vendors, who have not been named by the researchers or the DHS, have been notified of the vulnerabilities.

The researchers advocate a firmware signing requirement, such as a digital signature, to allow “only logic approved by the medical device maker to run on the device” without preventing OS updates and antimalware from being applied by healthcare and IT professionals.  They recommend that the FDA implement such a requirement for medical devices approved from 2014 on, conceding that legacy devices in use now cannot have firmware signing added easily, if at all.  ICS-CERT “reminds healthcare facilities to perform proper impact analysis and risk assessment prior to taking defensive and protective measures” and also “recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities.”  The FDA’s draft guidance recommends limiting device access via security controls like user authentication, card readers, and physical locks, as well as using design approaches that maintain a device’s critical functionality and provide methods for recovery even after security is compromised.  It also suggests that healthcare facilities monitor their networks for unauthorized use and restrict such unauthorized access, and maintain the integrity and security of the network.  Managed IT services from Microwize Technology can take this weight off of your shoulders, letting certified professionals deal with keeping your network safe.