The Riskiest Connected Medical Devices and the New NIST CSF 2.0 Core Draft

Because of the Internet of Medical Things (IoMT), it is possible to connect a variety of medical devices to the Internet and operate, configure, and monitore them remotely. These devices can send medical information online to physicians enabling them to quickly take action to alter treatments. The data sent from the devices could be easily added to the electronic medical records. IoMT device usage is growing immensely as it is expected for smart hospitals to double the number of IoMT devices used to 7 million by 2026.

Although there are important benefits to using Internet-connected medical devices, such usage increases the attack surface significantly. There are vulnerabilities in IoMT devices being identified that malicious actors can potentially exploit to get access to the devices and their connected networks. Based on a 2022 FBI report, there is at least one unpatched critical vulnerability found in 53% of IoMT devices and other IoT devices.

Armis, an asset visibility and security company, conducted a detailed analysis of information compiled from medical and IoT devices to determine which IoMT and IOT devices carry the most risk. The Armis Asset Intelligence and Security Platform tracked the data from over 3 billion assets and found the following riskiest connected medical devices.

1. Nurse call systems – 39% of nurse call systems contain unpatched critical vulnerabilities while 48% contain other unpatched vulnerabilities. A malicious actor can exploit a critical vulnerability in a direct or indirect attack and the resulting effects will be critical or significant. In case hackers exploit the vulnerabilities in medical devices, they could access the systems to which the devices connect with, take sensitive information, or change the settings of the devices and put patients in danger.

2. Infusion pumps – 27% of analyzed infusion pumps have at least one unpatched critical flaw while 30% have other unpatched vulnerabilities

3. Medication dispensing systems – 4% of analyzed systems have unpatched critical flaws while 86% have other unpatched vulnerabilities. According to Armis, 32% of the analyzed medication dispensing systems were using unsupported versions of Windows. In all connected medical devices, 19% were using unsupported operating systems considering that IoMT devices usually outlive the lifespans of their operating systems.

IoT devices could likewise bring in substantial risks and give hackers an easy way to get a foothold in healthcare systems. Armis lists the following riskiest IoT devices:

1. IP cameras in healthcare environments – 56% of IP cameras contain unpatched critical vulnerabilities and 59% contain other unpatched vulnerabilities

2. Printers – 37% contain unpatched critical vulnerabilities and 30% contain other unpatched vulnerabilities

3. VoIP devices – 53% contain unpatched critical vulnerabilities and 2% contain other unpatched vulnerabilities

Developments in technology are important to enhance the speed and excellence of care delivery. The healthcare industry is facing a scarcity of care providers, but with more connected care, there is a bigger attack surface, states Mohammad Waqas, Armis’ Principal Solutions Architect for Healthcare. Securing medical and IoT-connected devices, even the building management systems by visual and continuous contextualized monitoring is important to ensuring patient safety.

The increasing volume of wireless, Internet- and network-connected devices and growing cybersecurity threats attacking the healthcare industry made the U.S. Food and Drug Administration (FDA) do something. Companies of medical devices will shortly be obligated to give details concerning the cybersecurity of their units in pre-market submissions to strengthen medical device cybersecurity. The requirements will include

  • a software bill of materials that will help identify and patch the vulnerable parts
  • cybersecurity steps to protect the devices and sensitive information
  • a security plan to address changes throughout the lifespan of the devices

Discussion Draft of NIST CSF 2.0 Core Released by NIST

The National Institute of Standards and Technology (NIST) is currently making changes to the NIST Cybersecurity Framework (CSF) 1.1 and will publish the full draft version 2.0 soon. It published a discussion draft that includes revisions to the Core elements of the Framework. NIST is soliciting feedback on improving the Framework prior to publishing the complete draft. The NIST CSF 2.0 Core addresses the results of the 6 Functions, 21 Categories, and 112 Subcategories and consists of a sample of possible new CSF 2.0 Informative Examples. Though the discussion draft is not yet finished and is just initial, it was released to enhance transparency and show the progress of the finished draft.

Changes were done to the NIST CSF 1.1 to enhance clarity, make sure a steady level of abstraction, deal with developments in technologies and risks, and enhance alignment with domestic and international cybersecurity criteria and procedures. NIST has gotten remarks that version 1.1 of the Framework remains effective at responding to cybersecurity risks yet felt a change was necessary to make it simpler for companies to handle present risks and upcoming cybersecurity issues more efficiently.

NIST got 92 written replies to its January 2023 CSF 2.0 concept paper, comments from working consultations and workshops, 134 written reactions to its February 2022 NIST Cybersecurity RFI, and recommendations at conventions, webinars, roundtables, and events all over the world. All responses were thought of when creating the updated Framework.

Particularly, NIST wants comments on whether the cybersecurity solutions shared in the discussion draft resolve the present difficulties encountered by companies, are in-line with current cybersecurity strategies and resources, and if the updates took care of the submitted feedback. NIST stated recommendations may also be submitted on any parts of the framework where additional enhancements could be made, which include the content, format, and extent of the implementation samples.

NIST has affirmed that other elements of the Framework will be updated and stated there is still a lot of work to do before the intended summer launch of the complete NIST CSF 2.0 draft.

Download and read the discussion draft here.