In a December 15, 2023 advisory, the Cybersecurity and Infrastructure Security Agency (CISA) issued a compelling directive, emphasizing the critical need for technology and equipment providers to immediately discontinue the use of default passwords. The prevalence of default credentials easily accessible on the internet poses a considerable threat. If left unchanged, they provide an open invitation for threat actors to exploit systems and networks.

Although CISA’s guidance is not explicitly tailored to healthcare and medical device manufacturers, it inherently carries implications for this sector. Because healthcare is an integral component of a nation’s critical infrastructure, the ease with which certain default passwords can be located puts both the infrastructure and patients at an elevated risk level. Interestingly, the BC Auditor General’s Report also identified the management of passwords and default credentials as a crucial issue in medical device cybersecurity in BC hospitals.

In a future series of articles, we will delve deeper into various fundamental aspects of medical device cybersecurity. Passwords and their management play a foundational role in establishing a cybersecurity framework for the medical devices you and your department support. Stay tuned for more insights and practical guidance on enhancing the cybersecurity posture of medical devices.