Recently a wide range of X-ray and computerized tomography technology were discovered to be acutely vulnerable. According to researcher Scott Erven, an unnamed organization exposed intelligence on over 68,000 systems, causing alarm. Erven noted that passwords to such devices were flawed or weak, using easily estimated words with little to no symbols. Such devices found to be at medical device risk include X-ray and CT (Cat scan) technology.
There are two major concerns attached to attacks on nuclear imaging technology:
- Private data and patient information is at medical device risk of being stolen and stored
- Physical well-being of patients may be threatened by unauthorized increased dosages
Drug pump device companies have also had to deal with similar firmware issues as recently as one month ago. The problem has been labeled as a systemic security concern across many, if not most, manufacturers of medical technology.
In response to the drug pump controversy, the FDA issued an alert to health care facilities regarding firmware issues within certain pump devices this past May. This alert, adding on to the 2010 Infusion Pump Improvement Initiative, contains four steps to reinstate the security of current drug infusion pumps:
- Separate drug infusion pump from the internet or make sure the network and internet are isolated from one another
- Shut down any ports you are not using, such as Port 20/FTP and Port 23/TELNET
- MD5 checksum can be used to check if any unauthorized changes have been made
- Utilize firewalls to keep hackers from breaking into the hospital’s internet
Perhaps the guiding recommendations provided in the alert issued by the FDA can serve as a blueprint for solving current security issues among other medical device technology. To quote Mr. Erven, the healthcare industry is 15 years behind what we see in retail and finance in terms of what we see in security. With the medical technology industry advancing at such a rapid rate, it is imperative we catch up in terms of security as well.
Sources: Forbes.com, Wired.com