The United States’ Federal Bureau of Investigation’ Cyber Division has released a private industry notification alerting healthcare organizations of the growing number of medical device vulnerabilities. According to the notification, cybercriminals may exploit these weaknesses to negatively affect a healthcare organization’s operational functions, patient safety, data confidentiality, and data integrity.
Medical device hardware frequently operates for 10 to 30 years. However, manufacturers determine the life cycle of the underlying software which can range from a few months to the device’s maximum life expectancy. Medical devices are particularly vulnerable to attacks as they frequently contain outdated software as manufacturers do not update or patch its software faults. As a result, cybercriminals are provided with the opportunity to identify and exploit its weaknesses. Other vulnerabilities frequently found in medical devices include default configuration which are easily exploitable, complex customized software which delay the implementation of vulnerability patching, and inadequate security design. According to the FBI, as of January 2022, approximately 53 percent of connected medical devices and other IoT devices have an identified critical risk which can potentially affect the device’s operations and functions. The FBI also notes that medical devices such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps are susceptible to cyber attacks. Malicious actors who attack these devices can alter its operations to endanger its patient by providing incorrect readings and administering drug overdoses. Furthermore, the FBI cites a report which found that from 2021, approximately 6.2 vulnerabilities were found per medical device and that 40 percent of medical devices nearing the end of their life cycle were found to offer no security upgrades.
To address these concerns, the FBI details a multitude of steps medical device operators can take to identify vulnerabilities, actively secure medical devices, and increase employee awareness in order to reduce the risk presented by medical devices. The first is to implement endpoint protection. Medical device operators should use antivirus software on an endpoint, encrypt medical device data, and utilize EDR and XDR solutions. The FBI also recommends identify and access management. Healthcare organizations should ensure all default password credentials are changed to more secure and complex credentials. Another step the FBI advises healthcare organizations is to ensure adequate asset management. Medical device operators should maintain a digital inventory management system for all devices and associated software and consider replacement options for impacted devices. Other recommendations include training staff members to identify and report potential threats to the device’s security and working with device manufacturers to reduce vulnerabilities. Finally, the FBI requests that recipients of the private industry notification report any and all potentially suspicious activity to their local FBI office and law enforcement.