Wednesday, June 19, 2013

Medical Devices Insecure

A recent ICS Cert alert and FDA Safety communication have highlighted the lax cybersecurity that is frequently used with medical devices.

For a long time, medical devices were protected by an "air gap" which provided protection as long as the devices were physically separated from the data network. But increasing cost pressures and integration of these devices' capabilities have meant that insecure devices are being exposed to the network.

Common vulnerabilities include things like hard-coded, well-known passwords and even passwordless logins, vulnerability to SQL injection attacks, and a general inattention to security patches and secure configuration guidelines.

Security practices in the medical device industry have lagged most other IT installations. Affected devices include several where a malicious intruder (or buggy malware) could cause patient injury or death.

1 comment:

Anne said...

Hello, I'm a consultant & like to share. Most Class I devices and a couple of Class II devices are absolved from the necessity for docility of an advertising provision. Nonetheless, these devices are not excluded from other general controls. All medical devices must be made under a quality affirmation system, be suitable for the expected utilization, be enough bundled and appropriately marked, and have foundation enlistment and device posting structures on document with the FDA. thanks!
-----------------
iso 13485