New York (CNN Business)Researchers say they have found more than a dozen vulnerabilities in software used in medical devices and machinery used in other industries that, if exploited by a hacker, could cause critical equipment such as patient monitors to crash.
The research, shared exclusively with CNN, points to the challenges that hospitals and other facilities have had in keeping sensitive software updated as the resource-absorbing coronavirus pandemic continues. It’s also an example of how federal agencies are working more closely with researchers to investigate cybersecurity flaws that could affect patient safety.
Nearly 4,000 devices made by a range of vendors in the health care, government and retail sectors are running the vulnerable software, according to cybersecurity firms Forescout Technologies and Medigate, which discovered the issue.
There is no evidence that malicious hackers have taken advantage of the software flaws — and doing so would require prior access to networks in some cases, Forescout said. Siemens, the industrial firm that owns the software, has issued updates fixing the vulnerabilities.
Siemens worked with federal officials and the researchers to verify and address the vulnerabilities through software updates.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is expected to issue an advisory Tuesday encouraging users to update their systems in response to the report, according to researchers.
“It is important for medical device manufacturers to have a mechanism to quickly ascertain if their devices are affected,” Dr. Kevin Fu, acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health, told CNN.
