On Sept. 12, the FBI issued an industry alert regarding unpatched and outdated medical devices that provide opportunities for cyberattacks. According to the alert, a growing number of vulnerabilities are caused by unpatched medical devices that run on outdated software and devices are missing sufficient security features.
The alert says that “Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity. Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.”
Further, “Medical device hardware often remains active for 10-30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities. Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks.”
Not only is outdated software a threat to medical devices, but many devices also have vulnerabilities including devices used with the default configuration, devices with customized software, and devices that weren’t designed with security in mind.
Moreover, “Medical devices have known vulnerabilities that impact various machines used for healthcare purposes, including those that sustain patients with mild to severe medical conditions.
- As of January 2022, a research report conducted by a cybersecurity firm found 53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. Approximately one third of healthcare IoT devices have an identified critical risk potentially implicating technical operation and functions of medical devices.
- According to a report in mid-2022 conducted by a healthcare cybersecurity analyst, medical devices that are susceptible to cyberattacks include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.
- According to a research report in 2021, a cybersecurity firm assessed there is an average of 6.2 vulnerabilities per medical device, and recalls were issued for critical devices such as pacemakers and insulin pumps with known security issues, while more than 40% of medical devices at the end-of-life stage offer little to no security patches or upgrades.”
Lastly, the alert provides recommendations for securing medical devices:
- Endpoint protection
- Identity and access management
- Asset management
- Vulnerability management
- Training employees to mitigate risk
