The Department of Homeland Security recently released an advisory to manufacturers and healthcare organizations warning of security vulnerabilities in the firmware of approximately 300 different medical devices from around 40 vendors. The vulnerabilities, which all relate to the use of hard-coded administrator passwords, were discovered by researchers Billy Rios and Terry McCorkle of Cylance. The announcement came on the same day that the U.S. Food and Drug Administration issued a draft guidance document on the subject of strengthening medical device cybersecurity.
According to Rios and McCorkle, the use of hard-coded passwords is prevalent in a wide range of medical devices, including surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors and laboratory and analysis equipment. Such passwords are designed to give service technicians privileged access, but, in some cases, this access could allow an attacker to change settings or modify the device firmware.
“It’s been common and accepted in healthcare that anyone who knows the passwords can get in [to the firmware],” Rios told HealthcareInfoSecurity. “That means an unauthorized or non-technical person can get into a medical device and reprogram the device to do whatever they want; you’d never be able to detect it.”
An attacker could potentially carry out any number of dangerous changes with severe medical consequences, from changing drug dosages to altering device readings, Rios added. Given the criticality and sensitivity of the issue, the DHS Industrial Control Systems Cyber Emergency Response Team reported that it has been working with the FDA and the device manufacturers to address the problem. So far, ICS-CERT and FDA do not believe the vulnerability has been exploited in the wild.
Improving medical device software security
To mitigate the threat of the vulnerabilities cited by Rios and McCorkle, ICS-CERT recommended healthcare organizations take steps to limit unauthorized access to trusted users, particularly for life-sustaining devices or those that are connected to hospital networks. Manufacturers are also recommended to follow the recently released FDA guidelines, which suggest avoiding hard-coded passwords, isolating individual device components, following “fail-safe models” for maintaining device functionality even when a device has been compromised and adhering to both a secure development lifecycle and regular patch deployments.
“Manufacturers should consider cybersecurity during the design phase of the medical device, as this can result in more robust and efficient mitigation of cybersecurity risks,” the FDA’s draft guidance stated.
Rios and McCorkle have suggested the FDA implement a firmware signing requirement for new medical devices by 2014, which would prevent unauthorized firmware modifications even from those who can “easily” tamper with devices through backdoor passwords, HealthInfoSecurity reported. One shortcoming for such a requirement is that it would not apply to legacy devices, however.
In fact, changes to improve medical cybersecurity may be slow to arrive, according to Dale Nordenberg, executive director the of Medical Device Innovation, Safety and Security Consortium. He told HealthInfoSecurity that many healthcare organizations neglect to apply patches due to liability concerns, while manufacturers often have trouble keeping up on testing new patches. Despite the FDA guidance, the best way to move forward will be if manufacturers actually get serious about software security, he said.
As medical device manufacturers look to avoid zero-day vulnerabilities in their products and meet the secure development goals that may soon be part of FDA standards, tools such as static analysis software can be valuable for developers. By implementing automated source code analysis, programmers can catch errors before they are released and ensure medical device security is acceptable.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.