Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting about 300 medical devices from about 40 vendors. The vulnerability could be exploited to potentially change critical settings and/or modify device firmware on devices including: Surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.
The Industrial Control Systems Cyber-Emergency Response Team (ICS-CERT), an arm of the US Department of Homeland Security, has been working with the Food and Drug Administration (FDA) in addressing these issues. ICS-CERT and the FDA have notified the affected vendors of the report, asked the vendors to confirm the vulnerability and identify specific mitigations, and will follow up with specific advisories and information as appropriate
For more details, including the FDA’s recommendations and best practices to help prevent unauthorized access or modification to medical devices, click here.