Medical devices could be hacked, study says 1:06
New York (CNN Business) -
Researchers say they have found more than a dozen vulnerabilities in software used in medical devices and machinery used in other industries that, if exploited by a hacker, could make computers critical, such as patient monitors, hang.
The research, shared exclusively with CNN, points to problems hospitals and other facilities have had in keeping sensitive software up-to-date as the resource-draining coronavirus pandemic continues.
It's also an example of how federal agencies are working more closely with investigators to investigate cybersecurity flaws that could affect patient safety.
According to cybersecurity companies Forescout Technologies and Medigate, which discovered the problem, nearly 4,000 devices made by various vendors in the healthcare, government and retail sectors use the vulnerable software.
There is no evidence that malicious hackers exploited software flaws, and doing so would require prior access to networks in some cases, Forescout said.
Siemens, the industrial company that owns the software, has released updates that fix the vulnerabilities.
Cyberattacks on government and business targets in the US
Siemens collaborated with federal officials and investigators to verify and fix the vulnerabilities through software updates.
advertising
According to the researchers, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security is expected to publish a notice on Tuesday encouraging users to update their systems in response to the report.
"It is important that medical device manufacturers have a mechanism in place to quickly determine if their devices are affected," Dr. Kevin Fu, acting director of medical device cybersecurity at the Center for Devices and Radiological Health, told CNN. FDA.
Cyber attack on T-Mobile affects 40 million users 0:42
After learning about the vulnerabilities, "we began working with our partners in all potentially affected critical infrastructure sectors, including healthcare, to inform potentially at-risk vendors of this vulnerability and provide them with guidance to remediate it," said Deputy CEO of CISA cybersecurity, Matt Hartman, in a statement to CNN.
The vulnerabilities affect versions of the Nucleus real-time operating system, a Siemens proprietary software suite that manages data on critical networks.
Fu said the vulnerabilities could affect a number of medical devices, but that it depends on the version of the software running and whether the device is connected to the Internet.
In addition to patient monitors, some anesthesia, ultrasound and X-ray machines could be affected by the software glitch, according to the research.
Forescout researchers tested the software's vulnerabilities in a lab.
In one case, they sent malicious commands to a building automation system used in hospitals, disconnecting it and cutting off the lights and HVAC system in a simulated hospital room, according to the investigation report.
(For this to work in practice, a hacker would have to already be on the hospital's local network or the building automation device would have to be exposed to the Internet.)
Elisa Costante, vice president of research at Forescout Technologies, told CNN that her research team wanted to highlight how old software used in key industries should be closely scrutinized for security flaws.
"Our smart world is built on legacy software" that is often more difficult to maintain, said Costante.
"Today, I have no evidence that this has been exploited [by hackers] yet in the wild," he added.
"But do we really have to wait for something important to happen instead of creating the awareness [needed to address vulnerabilities]?"
The FDA has invested more in cybersecurity in recent years in an effort to address how digitizing patient care opens up risks to hacking.
In June 2019, the agency advised patients to stop using a certain insulin pump after researchers showed how a hacker could tamper with the pump's settings.
cyber attack hacker
