FBI Alerts Healthcare Providers Regarding the Risks of Unpatched and Obsolete Medical Devices

The Federal Bureau of Investigation (FBI) has released a private sector notification regarding the increasing number of vulnerabilities in healthcare devices. In case medical devices aren’t quickly patched and are using outdated software, malicious actors can exploit vulnerabilities and obtain access to sensitive patient information or the systems the medical devices link to. With access to the system, threat actors may carry out attacks that negatively affect the operations of healthcare establishments. Medical devices are usually utilized to support patients with slight to serious health conditions. Attacks on those healthcare devices could result in severe hurt to patients and even cause the loss of life.

The FBI states that vulnerabilities in medical devices mainly originate from device hardware structure and device software administration. If healthcare devices are run in the standard settings, that usually gives threat actors a chance to take advantage of vulnerabilities. Devices with personalized software may be hard to patch, usually needing specialized processes, which could delay updates and vulnerabilities stay unaddressed for much longer, increasing the odds of taking advantage of the vulnerabilities.

Medical devices were created to carry out special functions, however, security was by no means a concern since the devices were not regarded as a security risk. These devices are vulnerable and in case exposed to the Web could give threat actors a fast way to acquire access to the devices, change their features, or utilize them as a springboard to start an attack on a company.

The FBI mentions new research that indicates 53% of network-linked medical devices and other IoT devices employed in hospitals possess identified critical vulnerabilities that were not resolved, with about 33% of healthcare IoT devices getting a critical vulnerability that can impact the technical functionality or operation of healthcare devices. These devices comprise pacemakers, mobile cardiac telemetry, insulin pumps, intrathecal pain pumps, and intracardiac defibrillators.

A study suggests medical devices have typically 6.2 vulnerabilities for each device. Over 40% of medical devices that hit their end-of-life do not get security patches and program updates to fix vulnerabilities, and frequently stay used in spite of the security risks

Unpatched and obsolete medical devices present cyberattack potentials, therefore it is essential that vulnerabilities are dealt with and risk is minimized to a low and acceptable degree. The FBI provides a number of suggestions for enhancing the safety of medical devices:

  • Make sure endpoint protection steps are enforced such as antivirus applications and endpoint detection and response (XDR) solutions.
  • Apply encryption for sensitive information
  • Modify all default passwords and use difficult, unique passwords, and restrict the number of sign-ins for every user
  • Make sure a detailed listing is kept of all devices, which includes the patching status, software program version, and any vendor-created software parts utilized by the devices
  • Create a plan for updating medical and IoT devices before their end-of-life
  • Make certain vulnerabilities are immediately patched on all medical devices
  • Perform scheduled vulnerability tests before adding any new device to the operating program
  • Teach employees to help offset human threats, such as teaching workers how to determine and report risks, the attacks that target staff members like social engineering and phishing attacks, and put banners to emails that come from external sources.

The FBI notification – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the complete suggestions for mitigating vulnerabilities are available on this page.