Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

FBI Warns of Unpatched and Outdated Medical Device Risks

The FBI is warning healthcare facilities of the risks associated with unpatched and outdated medical devices.

Security flaws in medical devices could adversely impact the operations of healthcare facilities, while also affecting the safety of patients and data confidentiality and integrity, the FBI says.

The FBI is warning healthcare facilities of the risks associated with unpatched and outdated medical devices.

Security flaws in medical devices could adversely impact the operations of healthcare facilities, while also affecting the safety of patients and data confidentiality and integrity, the FBI says.

Both hardware design and device software management faults could lead to security vulnerabilities, especially if specific configurations are used, embedded security features are missing or cannot be updated, or there are too many devices to manage.

Some medical devices may remain in use for up to 30 years, which provides threat actors with enough time to identify and exploit vulnerabilities, especially if the software running on them has reached end of life (EOL).

“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks,” the FBI says.

In addition to running outdated software, these devices might be using default configurations that are easily exploitable or custom software that lacks a proper vulnerability patching implementation, or might lack security completely, as they were not intended to be exposed to security threats.

As evidenced by recent reports, the FBI says, over half of the medical devices and other Internet of Things (IoT) devices in hospitals are impacted by known vulnerabilities, with defibrillators, insulin pumps, mobile cardiac telemetry, and pacemakers being among the most affected device types.

The bureau recommends that organizations not only identify vulnerabilities in medical devices, but also actively secure these devices and train employees to report identified issues in order to help mitigate risks.

Advertisement. Scroll to continue reading.

Organizations are advised to employ endpoint protection where possible, encrypt medical device data, use unique and complex passwords for each medical device, maintain an electronic inventory management system to easily identify critical devices, perform routine vulnerability scans, and work with manufacturers to patch newly identified vulnerabilities in a timely manner.

Related: Rapid7 Flags Multiple Flaws in Sigma Spectrum Infusion Pumps

Related: Defending the Healthcare Security Landscape in the Age of Connected Devices

Related: Medical, IoT Devices From Many Manufacturers Affected by ‘Access:7’ Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.