Tuesday, November 5, 2019

Medical Device Software VxWorks is Open to Hackers


One of the security problems we have in healthcare is the danger of proprietary or legacy software running devices that have a direct impact on patient care.  One of those systems that has come into the spotlight in 2019 is VxWorks which is developed by Wind River.  The software is something that runs in the background of many of the devices in our lives, however unlike major operating systems like iOS, Windows, or Android, many of us have never heard of it.  However, just because it manages things we don’t really pay much attention to doesn’t mean it is any less serious if it is engaged by hackers.

In this case VxWorks is currently running on 200 million (you read that right) devices and many of them are in the healthcare sector.  The company has stated it "can be found in surgical robots, infusion pumps, dialysis machines, pace maker programmers, assisted ventilators, etc. When critical Class III devices are being developed, and lives are at stake, medical device manufacturers have turned to Wind River. "

However, recently VxWorks has been in the news because of network vulnerabilities that could allow nefarious hacker types to break into it.  Because the code is used in so many specific devices, fixing it isn’t a simple matter.  Basically each device that uses it must be patched and it isn’t just a matter of a company setting up a patch which is then automatically downloaded and installed by every user.  In cases such as this, each unique end user would have to tell their devices to download and install the patch.  You can imagine the struggles of a company that manufactures surgical robots suddenly needing to update their operating system.  It could very well cause operational problems and/or affect patient care; and that is just one example.  Add to that the potential for FDA involvement and it is easy to see how big a problem something like this could turn out to be.

That sad part of this is that we have already seen that criminals don’t really care if patients and their lives are affected.  The Ransomware blitzkrieg we’ve seen in 2019 has shown in no uncertain terms that in the quest for money lives are not important to cyber criminals.

This isn’t meant to be an indictment of VxWorks, but it’s an example of how sideways things could potentially go with our dependency on life centric hardware.  I’m not currently aware of any dental devices affected, but that doesn’t mean there aren’t any.

If you would like to read more about the concerns the U.S. Government has on this situation, take a look at this page from the U.S. Department of Homeland Security.  

No comments:

Post a Comment