The U.S. Food and Drug Administration (FDA) has issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments.
The FDA released its “Safety Communication for Cybersecurity for Medical Devices and Hospital Networks” on Thursday – the same day that the Department of Homeland Security’s ICS (Industrial Control System) CERT issued a warning about the discovery of hard coded “back door” passwords in some 300 medical devices from 40 separate vendors, including drug infusion pumps, ventilators and patient monitoring systems.
The FDA said it expects device makers to “review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device. Hospitals were instructed to harden their networks by restricting access to networked medical devices and monitoring their network for unusual or malicious behavior.
The warning, coupled with the ICS-CERT alert are just the latest warnings about the vulnerability of medical devices, many of which are attached to hospital networks and remotely accessible from other points on the network – or even the public Internet. Writing on Thursday, ICS-CERT said that security researchers Billy Rios and Terry McCorkle, both of the security firm Cylance, identified hundreds of medical devices that were created with hard-coded (or permanent) administrative passwords that can be used to permit privileged access to devices. Hard coded administrative accounts are a common problem in industrial control systems and are often used to administer hardware that is deployed in remote locations. Because the passwords are common to all devices manufactured by a particular vendor and are rarely changed by (or even known to) customers, they present a huge security risk.
Earlier research by Rios and McCorkle revealed that medical devices share many of the same problems at industrial control devices. Speaking at the S4 Conference in Miami in January, the two presented an informal audit of medical devices from major manufacturers, including Philips showed that medical devices have many of the same kinds of software security holes found in industrial control system (ICS) software from the same firms. The researchers blame lax coding practices, which appear to be institutionalized within the firms, amplifying their effects.
ICS-CERT said it is currently coordinating with multiple vendors, the FDA, and the security researchers to identify specific mitigations across all devices. In the meantime, device manufacturers and healthcare facilities have been asked to try to minimize the risk of exploitation of this and other vulnerabilities by limiting access to networked medical devices to privileged users and adopting common-sense, layered network protections, including endpoint and network activity monitoring, firewall and antivirus software.