The FBI is warning healthcare facilities of the risks associated with unpatched and outdated medical devices.
Security flaws in medical devices could adversely impact the operations of healthcare facilities, while also affecting the safety of patients and data confidentiality and integrity, the FBI says.
Both hardware design and device software management faults could lead to security vulnerabilities, especially if specific configurations are used, embedded security features are missing or cannot be updated, or there are too many devices to manage.
Some medical devices may remain in use for up to 30 years, which provides threat actors with enough time to identify and exploit vulnerabilities, especially if the software running on them has reached end of life (EOL).
“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks,” the FBI says.
In addition to running outdated software, these devices might be using default configurations that are easily exploitable or custom software that lacks a proper vulnerability patching implementation, or might lack security completely, as they were not intended to be exposed to security threats.
As evidenced by recent reports, the FBI says, over half of the medical devices and other Internet of Things (IoT) devices in hospitals are impacted by known vulnerabilities, with defibrillators, insulin pumps, mobile cardiac telemetry, and pacemakers being among the most affected device types.
The bureau recommends that organizations not only identify vulnerabilities in medical devices, but also actively secure these devices and train employees to report identified issues in order to help mitigate risks.
Organizations are advised to employ endpoint protection where possible, encrypt medical device data, use unique and complex passwords for each medical device, maintain an electronic inventory management system to easily identify critical devices, perform routine vulnerability scans, and work with manufacturers to patch newly identified vulnerabilities in a timely manner.
Related: Rapid7 Flags Multiple Flaws in Sigma Spectrum Infusion Pumps
Related: Defending the Healthcare Security Landscape in the Age of Connected Devices
Related: Medical, IoT Devices From Many Manufacturers Affected by ‘Access:7’ Vulnerabilities
More from Ionut Arghire
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
- Chrome 111 Update Patches High-Severity Vulnerabilities
- BreachForums Shut Down Over Law Enforcement Takeover Concerns
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
Latest News
- Backslash Snags $8M Seed Financing for AppSec Tech
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- Chrome 111 Update Patches High-Severity Vulnerabilities
- BreachForums Shut Down Over Law Enforcement Takeover Concerns
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Malware Trends: What’s Old Is Still New
- Burnout in Cybersecurity – Can It Be Prevented?
