CareFusion's ventilator software may have been hacked

Google blocked the website CareFusion ($CFN) uses to update the software on its respiratory devices, finding viruses and malware that may have been streamed to patients' implants, MassDevice reports.

Twenty pages on CareFusion's ViasysHealthcare.com were host to Trojan viruses and malicious programs when Google flagged the site, and the company's Avea ventilators may have been hacked as a result. The devices use the site to download software updates, and the viruses it contained can install themselves without consent, according to Google.

Threatpost reports that the Department of Homeland Security is investigating the issue, and a CareFusion spokesperson told the website that the company has shut down the software updates and is looking into the matter as well. Google had flagged the site for suspicious activity for the past three months, and University of Massachusetts professor Kevin Fu, who in the past demonstrated how easily a Medtronic ($MDT) pacemaker could be hacked, first discovered the infection.

The CareFusion issue comes on the heels of an industry-wide concern over device security. Last month, DHS issued a warning to devicemakers about the susceptibility of techs to malware, especially for devices that transmit data or download software remotely. The feds' Information Security and Privacy Advisory Board has urged the FDA to reform its device-approval process to include assessments of the security of candidate techs, hoping to avoid exactly what has happened to CareFusion.

As it stands, the FDA does not require devicemakers to submit the source codes for their products, although it has the right to do so. Open source advocates have pounced on the issue, saying that if regulators and devicemakers collaborated on software development, they could ensure safer, more effective programs for patients.

- read the MassDevice story
- get more from Threatpost
- here's Google's safety browsing report