Security vulnerabilities in connected devices used in the healthcare industry are endangering patients and costing providers millions of dollars, the FBI has warned. Cyberattacks on healthcare providers have doubled in the last year, with devices often at the heart of breaches. Upcoming security legislation around Internet of Things (IoT) connected devices could help mitigate some of the problems.
The FBI warning says it has become aware of a growing number of vulnerabilities found on unpatched medical devices that run on outdated software. Leaving such devices insecure can render whole systems open to cyberattacks, endangering both patients and hospital workers.
Insecure devices can lead to malicious impediment of healthcare facilities’ operational functions, patient safety, data confidentiality and data integrity, the agency says. Common vulnerabilities include devices being used with the manufacturer’s default configuration, and devices not designed with security in mind “due to a presumption of not being exposed to security threats”.
Medical device security: a common problem?
Insecure medical devices are considered among the top cybersecurity concerns in healthcare. A recent report by security company Proofpoint details that on average, healthcare providers have more than 26,000 network-connected devices, including pacemakers and infusion pumps used to infuse fluids into a circulatory system, as well as a range of other monitoring systems. Sixty-four per cent of respondents to Proofpoint’s report have expressed concern over the security of these devices, though only half have included device-attack prevention and response in their security strategies.
Medical devices can have a life span of between 10-30 years, Proofpoint says. But many do not receive manufacturer support for updates or patching for that length of time, which leaves them, and any networks to which they are connected, open to attack.
Cybercriminals are exploiting device vulnerabilities
Vulnerabilities in medical hardware and software have led to a surge in attacks on hospitals. A report by security company Cynario says 2021 saw a 123% increase in ransomware attacks on hospitals around the world, causing $21bn worth of damage. Though not all these attacks stem from connected devices, the study shows 53% of medical devices have at least one critical vulnerability that could affect patient safety, data confidentiality or service availability, and therefore could be targeted by hackers.
Healthcare is one of the top five sectors experiencing cyberattacks according to research from Crowdstrike. The volume of attempted attacks against the healthcare industry doubled in 2021, says the company's 2022 Global Threat Report.
Healthcare organisations face four key types of attack, according to Proofpoint's research: cloud compromises, ransomware attacks, supply chain attacks and phishing attacks. The first three of these can all be instigated through insecure devices.
Security problems with connected devices are unlikely to go away according to Tom Stafford, CTO for CDW Healthcare, which provides technology solutions to the public sector. “There will always be biomed devices that have outdated and unsupported operating systems," Stafford wrote in June. "In the beginning, when first purchased, they were of course running mainstream and perhaps even state-of-the-art operating systems, but now these operating systems are no longer supported by the manufacturers. As a result, O/S patches are no longer available to address vulnerabilities.”
He adds: “The problem is going to persist because biomed devices will continue to outlast the useful life of their operating systems and CFOs do not want to replace a $4m imaging device that makes the hospital money every day because it has a security vulnerability.”
How are device vulnerabilities being mitigated?
Legislation is starting to appear that responds to the growing problem of security vulnerabilities in IoT devices, including those deployed by healthcare providers. The UK's Product Security and Telecommunications Infrastructure (PSTI) Bill, was part of the Queen's Speech in May, and will require manufacturers and distributors to comply with new security requirements around passwords and security updates.
Fines will be issued to companies that don't comply, and Dr Ian Levy, technical director at the National Cyber Security Centre, said the bill will “hold device manufacturers to account for upholding basic cybersecurity".
As reported by Tech Monitor earlier today, the EU is also preparing a bill pertaining to IoT security. The Cyber Resilience Act will also compel device manufacturers to build-in stronger security protocols. Ross Brewer, vice president and general manager for the EMEA and APJ regions at security vendor AttackIQ said that “regulating products in the IoT domain, where they’re not necessarily designed and developed and launched with cybersecurity in mind, is good because anything we can do to get manufacturers and suppliers to recognise the importance of cybersecurity is a positive”.