Most Concerning Security Vulnerabilities in Medical DevicesResearcher Jason Sinchak of Level Nine Discusses Recent Findings
Security flaws in a vital signs monitoring device from a Chinese manufacturer could allow hackers to launch an attack that spreads to all other devices connected to the same network, says Jason Sinchak of security firm Level Nine, the company that discovered the vulnerabilities.
Some of the flaws in affected Contec Medical Systems Co. equipment including hard-coded credentials are very common among the products that Sinchak and his team often evaluate for manufacturing and healthcare clients, while other Contec product vulnerabilities are more serious, he says in an interview with Information Security Media Group.
"In this instance, there were a couple vulnerabilities that were particularly concerning. Mostly, anything that has to do with a vulnerability that could be triggered over the network on a medical device is generally pretty severe," he says.
That's because medical device vulnerabilities often require physical access to the equipment in order to be exploited, he says. While those issues are serious, vulnerabilities involving remotely exploitable flaws in network-connected medical devices, such as some of the problems identified in the Contec monitoring system, are far more risky.
If exploited, the Contec vulnerabilities could result in "a broadcast packet being sent across the entire network" and any of the patient monitors connected to the same network would crash, he says.
Imagine if that were to occur in a hospital, Sinchak warns.
Contec did not immediately respond to ISMG's multiple requests for comment on the issues.
Level Nine's findings were also the subject of an alert issued in September by the Cybersecurity and Infrastructure and Security Agency (see: CISA Warns of Contec Patient Monitoring Device Flaws).
In the interview (see audio link below photo), Sinchak also discusses:
- Other details involving the various Contec patient monitoring system vulnerabilities identified;
- Security issues involving internet of things devices and operational technology equipment used in healthcare settings, ranging from smart TVs to HVACs;
- Approaches to mitigating security risk in medical devices.
Sinchak leads cybersecurity firm Level Nine's medical device product security practice. He began his career as a penetration tester and has brought that "attacker mindset" to his over 15 years of advising medical device manufacturers and healthcare delivery organizations.