On June 13, 2013, ICS-CERT of the U.S. Department of Homeland Security issued an alert (ICS-13-164-01) on hard-coded password vulnerabilities affecting about three-hundred medical devices, including ventilators, drug infusion pumps, external defibrillators, patient monitors, and surgical and anesthesia devices. In this alert, ICS-CERT reported working with medical device vendors, the U.S. Food and Drug Administration (“FDA”), and security researchers to identify specific mitigations. In an FDA Safety Communication, the FDA also published that same day recommendations and best practices to help prevent unauthorized access or modification to such medical devices.
On June 10, 2015, ICS-CERT issued an advisory (ICSA-15-125-01B) for certain versions of an infusion system. Vulnerabilities found in the affected versions of the device include hard-coded passwords, stack-based overflow, improper authorization (resulting in unauthorized users getting root access), insufficient verification of data authenticity, and cleartext storage of sensitive information (i.e., the sensitive information was not encrypted). Many of these vulnerabilities could be exploited remotely such that an attacker could gain access to the device’s core functions. ICS-CERT has coordinated with the vendor to address these vulnerabilities. Moreover, the advisory provides mitigation information as well.
On July 21, 2015, ICS-CERT issued an advisory (ICSA-15-174-01) for certain versions of another infusion system. In terms of the reported vulnerability, the infusion system could be remotely directed to perform unanticipated operations with remote access and elevated privileges and the vulnerability could be exploited remotely. In the advisory, it was reported that there were no known public exploits to exploit the vulnerability. The vendor has provided compensating measures to help mitigate the risks associated with the vulnerability. More information can be found in the advisory.
More recently, ICS-CERT issued an advisory (ICSMA-16-089-01) relating to a secure storage system for supplies. Specifically, this advisory noted a large number of remotely exploitable vulnerabilities. The exploits are publicly available, according to the advisory, and an attacker with low skill would be able to exploit many of them. Mitigation information can be found in this advisory report, including compensating measures as recommended by the vendor.
Medical device and healthcare cybersecurity continues to be a very important and challenging topic. To this end, the FDA has convened several public workshops to address this challenge. A treasure trove of information on medical device and healthcare cybersecurity can be found by accessing the transcripts from the Public Workshop - Collaborative Approaches for Medical Device and Healthcare Cybersecurity, October 21-22, 2014 event and the transcripts from the Public Workshop - Moving Forward: Collaborative Approaches to Medical Device Cybersecurity, January 20-21, 2016 event. Additionally, the FDA recently published a draft guidance document on postmarket management of cybersecurity in medical devices. Other forums for information sharing include the HIMSS Healthcare Cybersecurity Community and InfraGard