updated 6/16/2012 7:18:26 PM ET 2012-06-16T23:18:26

Updated June 16 at 7:00 p.m. EDT: This story has been updated with a statement from CareFusion.

Websites that ship software updates for medical devices, including ventilators and respirators, have been found to be infected with malware, according to security researchers at Kaspersky Lab.

Google's Safe Browsing  program found that one of the sites,, was riddled with 48 Trojans and three scripting exploits in May and June. Owned by the San Diego-based hospital equipment supplier CareFusion Inc., pushes out software updates for the company's AVEA brand ventilators. Google tested 347 Web pages belonging to the domain, and found that during the two-month stretch, 20 of them (about 6 percent) were found to be pushing out malware.

Another site,, which supports CareFusion's VELA brand ventilators, was also flagged for serving up malware, Kaspersky Lab reported.

In an email to SecurityNewsDaily, Kristen Cardillo, the director of corporate communication for CareFusion said, "We understand what happened and have taken immediate action to ensure it doesn't happen again. In no way did this event affect our ventilators." The offending software was removed from CareFusion's websites.

Kevin Fu, a professor and researcher at the University of Massachusetts, Amherst, discovered the security snafu when trying to download a software update for the AVEA ventilators on June 8. On the Medical Device Security Center blog, Fu stressed the potential disasters that could arise from these rigged sites.

"The risks should be obvious," Fu wrote. "This is an update for a medical device, and yet one must download it in a manner as if software sepsis is no big deal. Health care professionals might as well stop their washing hands while they're at it."

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments