Recently over 300 medical devices were found to have
password vulnerabilities. This prompted
the DHS’ Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) to
issue an advisory to all manufacturer, healthcare facilities and users.
One of the
major concerns surrounding this vulnerability is the possibility of
unauthorized users accessing critical settings and making changes that could be
harmful to patients. Firmware
modifications were also a concern.
Typically company technicians only know this type of password, but
researchers working for a security vendor were able to easily exploit the
passwords and gain access.
These researchers are now advocating for a digital signature
requirement for programming modifications to firmware to prevent hackers and
other malicious technicians from tampering with device settings. Because so many legacy devices still exist in
the healthcare setting, the researchers are recommending this change be
implemented in any device approved by the FDA beginning in 2014.
Many agree this is a good idea, but believe this type of
change will take years to make a difference.
Hospitals have been reluctant to install anti-viral software on medical
devices for fear that something could go wrong, and manufacturers would have a
difficult time keeping devices updated.
I too believe that it would take many many years before this
change would make any difference.
Healthcare organizations keep equipment an average of 10-15 years, and
sometimes even 20. Just finding devices
can be a challenge, so ensuring they all have the latest software would create
an almost impossible situation for both biomedical and IT departments.
That being said, hospitals need to start somewhere because I
believe this will eventually become mandatory, much like the current
“meaningful use” initiatives.
For heaven’s sake, people drive around cars that appear to
be smarter than the devices keeping loved ones alive.
Article referenced:
No comments:
Post a Comment