Medical devices including heart defibrillators, patient monitors and anaesthesia devices include a dangerous password vulnerability which could be exploited by cyber attackers, according to a warning issued by the Food and Drug Administration (FDA).

The vulnerability affects 300 medical devices made by approximately 40 vendors, according to two reports, issued simultaneously by the FDA and Industrial Control Systems Emergency Response Team (ICS-CERT).

“The vulnerability could be exploited to potentially change critical settings and/or modify device firmware,” ICS-CERT says in its statement about the medical device vulnerabilities. “ICS-CERT and the FDA are not aware that this vulnerability has been exploited, nor are they aware of any patient injuries resulting from this potential cybersecurity vulnerability.”

Both organisations are working directly with device manufacturers to mitigate the threat. The vulnerability affects "most" medical device manufacturers, according to a report in Ars Technica. ICS-CERT suggested that hospitals should, “Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.”

The FDA said in its statement,  “The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device.”