The U.S. Federal Bureau of Investigation has issued a warning that unpatched and outdated medical devices are providing cyber attack opportunities to hackers.
In a Private Industry Notification issued Sept. 12, the FBI said that it had identified an increasing number of vulnerabilities from unpatched medical devices that run outdated software and that lack adequate security features.
While noting that medical device hardware often remains active for 10-30 years, underlying software lifecycles specified by the manufacturer can range from a couple of months to maximum life expectancy, allowing threat actors time to discover and exploit vulnerabilities. Legacy medical devices are said to contain outdated software as they do not receive manufacturer support for patchers or updates, opening the door to attackers.
In addition to software issues, other medical devices were found to have additional vulnerabilities, including being set to a default configuration, making them easily exploitable. Devices with customized software were noted to be susceptible due to issues with vulnerability patching, along with devices that were not initially designed with security in mind.
The FBI recommends that healthcare providers should identify vulnerabilities and increase employee awareness reporting. Providers should implement endpoint protection, such as antivirus software, encrypt medical device data while in transit and at rest and utilize endpoint detection and response and extended detection and response solutions.
Providers should also apply identity access and management, ensuring default passwords are changed and if supported, limit the number of login attempts per user. Asset management – including maintaining an electronic management system, is also recommended, along with vulnerability management to mitigate vulnerabilities on operational medical devices.
“Unfortunately, there’s a still a huge lack of measures being taken at hospitals for security and the cybercriminals are taking full advantage of all the connected medical devices that are used within the facilities,” Szilveszter Szebeni, chief information security officer and the co-founder of encryption-based security solutions company Tresorit AG, told SiliconANGLE.
Noting that when buying medical equipment, the buying criteria focuses on how it can improve patients’ lives and help medical staff, Szebeni believes that IT security should be an essential part of the buying criteria as well. “Only then will manufacturers consider and prioritize security as a process that will enable hospitals and medical institutions to patch software rapidly and easily without risking any unexpected failures or massive breaches,” Szebeni said.
Melissa Bischoping, director and endpoint security research specialist at cybersecurity and systems management firm Tanium Inc. noted that the purchase and implementation of new medical technology must come with a plan for ongoing care and maintenance of the device that includes support for vulnerabilities. “Importantly, this kind of support and maintenance should include both the hardware, the software, and the server or workstation operating system that the software resides on,” Bischoping explained.
“For legacy devices still in production environments that are too costly to replace quickly, this underscores the need for network segregation and monitoring of the traffic to and from those devices,” Bischoping added. This is a massive technical debt problem that cannot be solved with risk acceptance or assuming that the devices are less connected because they are older.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.