The FBI is warning healthcare facilities of the risks associated with unpatched and outdated medical devices.
Security flaws in medical devices could adversely impact the operations of healthcare facilities, while also affecting the safety of patients and data confidentiality and integrity, the FBI says.
Both hardware design and device software management faults could lead to security vulnerabilities, especially if specific configurations are used, embedded security features are missing or cannot be updated, or there are too many devices to manage.
Some medical devices may remain in use for up to 30 years, which provides threat actors with enough time to identify and exploit vulnerabilities, especially if the software running on them has reached end of life (EOL).
“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks,” the FBI says.
In addition to running outdated software, these devices might be using default configurations that are easily exploitable or custom software that lacks a proper vulnerability patching implementation, or might lack security completely, as they were not intended to be exposed to security threats.
As evidenced by recent reports, the FBI says, over half of the medical devices and other Internet of Things (IoT) devices in hospitals are impacted by known vulnerabilities, with defibrillators, insulin pumps, mobile cardiac telemetry, and pacemakers being among the most affected device types.
The bureau recommends that organizations not only identify vulnerabilities in medical devices, but also actively secure these devices and train employees to report identified issues in order to help mitigate risks.
Organizations are advised to employ endpoint protection where possible, encrypt medical device data, use unique and complex passwords for each medical device, maintain an electronic inventory management system to easily identify critical devices, perform routine vulnerability scans, and work with manufacturers to patch newly identified vulnerabilities in a timely manner.