The Federal Bureau of Investigation (FBI) has warned healthcare facilities of the possible risks of using outdated/unpatched medical devices and released recommendations to protect them from cyberattacks.

The agency stated that medical devices having security flaws might adversely affect the day-to-day operations of healthcare facilities as well as jeopardize patients’ safety. Using unsafe devices can also hinder data confidentiality.

Whether found in hardware design or software framework, vulnerabilities in any medical device component can lead to devastating outcomes, particularly in specific configurations.

The bureau reports that more than half of all medical devices and Internet of Things devices used in hospitals contain security vulnerabilities. These include insulin pumps, defibrillators, pacemakers, mobile cardiac telemetry, etc.

Why Secure Medical Devices

This issue needs utmost attention because some medical devices are used for a long time, even for thirty years or more. This allows threat actors to identify and exploit vulnerabilities, especially if the device software has reached EOL (end of life). Such “legacy devices” used in healthcare facilities contain outdated software because it becomes impossible to keep these devices well-protected in the absence of manufacturer support for updates or patches.

Another issue is the use of default configuration, which can be exploited easily, and their custom software lacks a proper vulnerability patching implementation. They might even lack security measures because these devices aren’t supposed to be exposed to security threats.

The bureau recommends that organizations not only identify vulnerabilities in medical devices but also actively secure these devices and train employees to report identified issues to help mitigate risks.

The PATCH Act

The FBI is concerned over the dramatic increase in vulnerabilities found in unpatched medical devices. In June 2021, the AHA requested Congress to support the long-pending legislation, the ‘Patch Act.’

In a letter written to Congress, AHA stated that it is essential to secure medical devices, and manufacturers should focus on implementing cybersecurity solutions. In 2017, the FBI discovered that flaws in medical devices leveraged the notorious WannaCry healthcare ransomware attack.

“The pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third-party software.”

John Riggi – national advisor for cybersecurity – AHA

What Organizations Can Do?

Organizations can employ endpoint protection wherever they can and encrypt device data. Moreover, it is essential to use complex passwords for every medical device.

Another great strategy is maintaining an electronic inventory management system. It will help identify critical medical devices and conduct vulnerability scans regularly.

Lastly, they must stay in touch with device manufacturers to patch every newly discovered vulnerability timely.

  1. Importance Of Medical Alert Devices
  2. Medicine pumps & Pacemaker threat as Dr’s simulate hacked overdose
  3. Targeting Satellite? FBI Warns of Attacks on SATCOM Network Providers
  4. High severity Intel chip flaw left cars, medical and IoT devices vulnerable
  5. FBI warns of hackers mailing malicious USB drives to spread ransomware