A recent report from cybersecurity firm Rapid 7 has revealed that disposed medical devices found for sale on the secondary market have been discovered to contain sensitive network data. This data could potentially allow hackers to compromise the organizations that previously used these devices. The study focused on thirteen de-acquisitioned medical infusion pumps that were being offered on websites such as eBay. Shockingly, it was discovered that eight of these pumps still contained WiFi PSK access credentials, as they had not been properly purged.
Deral Heiland, the principal researcher at Rapid 7, explained that these access credentials could be used by hackers to gain access to the network of the medical organization that previously used the pump. This raises serious concerns about the potential compromise of private medical data, as hackers could exploit this vulnerability to gain unauthorized access. The fact that removing these credentials from the devices is not a difficult task highlights a lack of responsibility when it comes to properly disposing of equipment that stores sensitive information.
The report emphasizes the need for a more comprehensive de-acquisitioning process for medical devices in order to better protect patient data. Rapid 7 recommends implementing stricter protocols for ensuring that all sensitive information is completely erased from these devices before they are resold or disposed of. Failure to do so poses a significant risk to the security and privacy of patient data.
In a separate but related issue, scam calls pretending to be about expiring car warranties have become a common problem. These calls have become so prevalent that they have even become a meme-worthy running joke. In response to this issue, the US Federal Communications Commission (FCC) has recently taken action by fining a robocaller a record-setting $300 million. This particular scheme had been operating since 2018 and involved the false and misleading sale of vehicle service contracts.
The FCC’s investigation revealed that the enterprise behind the scheme had used various company aliases, including Sumco Panama, Virtual Telecom, Davis Telecom, and Geist Telecom. These companies were responsible for placing at least five billion calls over the past five years. The operation had even managed to evade the bans against making telemarketing calls imposed on two of its central players, Roy M. Cox and Aaron Michael Jones, following lawsuits by the Federal Trade Commission and the State of Texas.
FCC Chairwoman Jessica Rosenworcel acknowledged that these fines alone may not be sufficient to ensure compliance, as companies often find ways to avoid payment through corporate loopholes or by sequestering their earnings in forfeiture-proof vehicles. However, she did note that following the FCC’s action, the number of auto warranty calls fell by 99 percent.
It is important to mention that while the FCC has recommended the fine, the evaluation and prosecution of the case will ultimately be handled by the Justice Department. Therefore, it remains to be seen whether the company will be able to find ways to avoid or reduce the penalty. Such fines frequently go unpaid or are significantly reduced due to resource limitations for collection.
In conclusion, the discovery of disposed medical devices containing sensitive network data highlights the need for better disposal protocols to protect patient data from being compromised. Additionally, the FCC’s record-breaking fine against a robocaller involved in a vehicle service contract scheme serves as a step towards cracking down on these fraudulent activities. However, it remains to be seen how effective such fines will be in deterring future scams, given the potential loopholes that companies may exploit.