A new report from the cybersecurity firm Armis has identified the riskiest connected medical devices used by hospitals in the United States. Connected medical devices are a security weak point, and each year many new vulnerabilities are detected. One of the main problems for healthcare organizations is keeping on top of patching, which can be a challenge for connected medical devices as they are constantly in use. One of the biggest challenges, however, is medical devices tend to have a long lifespan, and are often used for more than a decade, which is far beyond the lifespan of the operating systems on which they are run. Upgrading the operating systems may not be possible as the devices may not be compatible with newer operating systems, and replacing medical devices when operating systems reach end-of-life is costly and not sustainable.
New legislation has been introduced in the United States in an Omnibus Bill that keeps the government funded that includes language that requires manufacturers of medical devices to ensure they meet certain cybersecurity requirements. Those requirements include providing a software bill of materials and a plan for addressing post-market cybersecurity vulnerabilities and exploits in their premarket submissions to the Food and Drug Administration (FDA). If those cybersecurity requirements are not met, the FDA will not authorize the use of the devices. The Omnibus Bill also requires the FDA to issue guidance to medical device manufacturers to help them improve the cybersecurity of their devices.
The Armis study confirms the importance of changes to the law to force medical device manufacturers to improve cybersecurity. The study, which involved an analysis of more than 3 billion assets tracked by its Asset Intelligence and Security Platform, confirmed the extent to which medical devices contain unpatched vulnerabilities. Those vulnerabilities could be exploited by malicious actors to gain access to healthcare networks, steal sensitive data, and potentially alter the functionality of medical devices and put patients at risk.
The study found the riskiest Internet of Medical Things (IoMT) devices to be nurse call systems, 39% of which had at least one unpatched critical vulnerability and 48% had other unpatched Common Vulnerabilities and Exposures (CVEs). Infusion pumps were also risky, with 27% containing unpatched critical CVEs and 4% having other unpatched CVEs. 86% of medication dispensing systems had unpatched CVEs and 32% of those devices were running on out-of-date operating systems.
Vulnerabilities were also common in Internet-of-Things (IoT) devices, and while cyberattacks exploiting these vulnerabilities would not pose a direct threat to patient safety, they could provide an attacker with a foothold in the network and allow an attack to be conducted that caused disruption to care. IP cameras, printers, and VoIP devices in clinical environments were found to contain unpatched critical vulnerabilities.
“These numbers are a strong indicator of the challenges faced by healthcare organizations globally,” said Mohammad Waqas, principal solutions architect for healthcare at Armis. “Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface.” Armis has developed a platform that provides healthcare organizations with visibility into their medical devices and provides continuous contextualized monitoring, helping healthcare organizations identify security issues with their medical devices and take proactive steps to improve security before vulnerabilities can be exploited.