A recent comprehensive study conducted by Claroty, a leader in cyber-physical systems (CPS) protection, has highlighted concerning trends within healthcare cybersecurity. This research, outlined in Claroty’s State of CPS Security Report: Healthcare 2023, has revealed a concerning gap in the maintenance practices of medical devices within hospital environments, emphasizing their susceptibility to potential cyber attacks and the broader implications for patient safety and data security.
One of the most alarming revelations found from the study pertains to the pervasive presence of known exploited vulnerabilities (KEVs) across hospital networks, as highlighted by data from the Cybersecurity and Infrastructure Security Agency (CISA). A majority, accounting for 63%, of tracked KEVs have taken root within healthcare networks, with an alarming 23% of medical devices, including a variety of from imaging devices to clinical IoT devices and surgical instrument, exhibiting at least one known exploited vulnerability. These vulnerabilities represent clear entry points for cyber adversaries seeking to breach hospital networks and exploit sensitive healthcare data for malicious purposes, presenting a concerning threat to patient safety and data integrity. The research study also found a disconcerting pattern pertaining to critical medical assets that are interconnected with hospital guest networks. Despite their role in delivering key healthcare services, a notable 4% of devices utilized in surgical procedures have been found to be accessible via hospital guest networks. This finding is particularly alarming considering that guest networks are typically characterized by lower levels of security compared to core hospital networks, rendering these critical medical assets highly vulnerable to exploitation by malicious actors seeking unauthorized access to sensitive healthcare infrastructure.
The study also explored the challenges encountered by medical device manufacturers (MDMs) in ensuring the security and integrity of their products. Although MDMs typically develop medical devices on robust, regularly patched operating systems such as Windows and Linux, the process of vulnerability patching for medical devices often entails additional costs and logistical complexities. A large proportion of medical devices continue to operate on outdated or unsupported operating systems, further complicating efforts to mitigate vulnerabilities and secure healthcare infrastructure against potential cyber threats. This issue is particularly pronounced in the case of legacy systems, with a staggering 14% of connected medical devices identified as running on unsupported or end-of-life operating systems. Imaging devices, which are critical for diagnostic and therapeutic purpose, were found as a particularly vulnerable subset within this category, with approximately 32% of imaging devices identified as operating on unsupported systems.
The severity of these findings is emphasized by real-world incidents, such as the case of St. Margaret’s Health in Spring Valley, Ill., which serves as an example of the tangible consequences of cybersecurity failures within the healthcare sector. In response to the cyberattack, the hospital was compelled to make the irreversible decision to shutter its doors permanently. For an extended period, the hospital’s computer systems remained inaccessible, resulting in severe financial losses and severe disruptions to patient care. This unfortunate scenario highlights the importance of robust cybersecurity measures in safeguarding both patient well-being and the operational continuity of healthcare facilities.
In response to these pressing challenges, Claroty advocates for a comprehensive approach that addresses both government leadership and industry initiatives. It calls for stringent enforcement of cybersecurity requirements by the FDA for medical device submissions, emphasizing the need for proactive measures to mitigate vulnerabilities and improve the security posture of medical devices from their inception. Claroty also stresses the importance of developing robust plans to address post-market vulnerabilities, ensuring that healthcare organizations possess the necessary mechanisms to promptly identify, assess, and mitigate emerging threats to patient safety and data security. Claroty also asserts the need for the healthcare sector to prioritize the adoption of resilient medical devices and systems, strengthened by the implementation of effective cybersecurity practices. This entails not only protecting defenses against potential intrusions but also developing a culture of cybersecurity awareness and proactive risk management within healthcare organizations. It is important for hospitals and healthcare providers to proactively prioritize cybersecurity measures as cyber threats continue to evolve, safeguarding patient safety, protecting sensitive healthcare data, and upholding the integrity of healthcare delivery in an increasingly heealth sector.