More than 150 models of medical devices manufactured by more than 100 manufacturers and equipped with PTC Axeda agent and Axeda Desktop Server have dangerous cybersecurity vulnerabilities that could potentially harm patients. The Axeda agent and Axeda Desktop server sold by PTC are components allowing one or more people to view and operate the same remote desktop, through the Internet. However, it was recently found that hard-coded credentials were used in these components making them particularly vulnerable to cyber attacks. Hard code credential is a practice used by software developers in which authentication data such as password are embedded directly in the source code. This practice was identified 9 years ago as a significant cybersecurity threat and is considered outdated and dangerous. It is particularly concerning that medtech vendor PT is still selling products using this technology, especially products providing remote support functionality which are among the most targeted by hackers. Hard code credential vulnerabilities, if exploited, allow hackers to fully access the system, execute remote code, change the configuration, read or save changes directly to files and folders on the user’s device, access user’s login information and flood the targeted device or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. Designing medical devices containing such outdated and dangerous components is negligence that can cause injury or death to patients.
Defective medical devices with cybersecurity flaws are considered the number one health technology hazards in 2022 by the ECRI Institute. The FDA issued a cybersecurity alert and the Cybersecurity and Infrastructure Security Agency issued an advisory with a detailed description of the vulnerabilities, recommendations to mitigate them and a list of the main manufacturers using Axeda agent and Axeda Desktop servers in some of their products. Among them are Accuracy, Agilent, Bayer, BD, Elektra, GE, Roche Diagnostic, Smith Medical and Varian. These manufacturers have all released their own information in regards to affected products.
Read more in Medtech Dive