FBI warns of unpatched medical devices
Industry experts have long been apprehensive about the cybersecurity vulnerabilities posed by the increasing number of IoT medical devices. “Wearable devices are often rushed to market, with little thought to cybersecurity,” says William Hodges, a cybersecurity expert in Miami. “A company wants to beat others to market with that first IoT heart monitor or blood pressure cuff, yet the price they pay is often in cybersecurity vulnerability.”
Medical facilities that come under cyberattack can experience real-life, tangible consequences, as was the case at a Des Moines hospital recently when a three-year-old child was given the wrong dose of medicine after a cyberattack knocked the hospital’s systems offline.
A cyberattack at MercyOne Children’s Hospital in Des Moines, Iowa, directly led to a three-year-old boy being given the wrong dose of medicine — one that could’ve had devastating consequences — after his tonsillectomy. Fortunately, the child survived with no lasting impact.
Unpatched medical devices
The issue is so concerning that the FBI recently published a warning about unsecured and unpatched medical devices.
The warning states in part:
“The FBI has identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features. Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.”
Hodges explains that medical device software can last many years and what was once considered robust defense is now outdated.
“Some medical devices are programmed and designed to last decades, and a hacker who couldn’t have breached the device ten years ago may have no problem doing so now,” Hodges reports, adding that the whole IoT medical ecosystem is a patchwork of loosely regulated devices with different standards.
“This creates a cornucopia of opportunities for cybercriminals who know the vulnerabilities of these devices. Just like some MSPs specialize in healthcare, the same is true of some hackers. They specialize in medical devices,” Hodges warns.
Other findings in the FBI bulletin:
- 53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities.
- Medical devices susceptible to cyber attacks include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.
- There is an average of 6.2 vulnerabilities per medical device, and recalls were issued for critical devices such as pacemakers and insulin pumps with known security issues, while more than 40 percent of medical devices at the end-of-life stage offer little to no security patches or upgrades.
Hodges says that the FBI is trying to get the word out to MSPs, CISAs, and IT staff not to ignore medical device security. “Sometimes IT people will think that an old, clunky pacemaker or dialysis machine couldn’t pose a cybersecurity risk, but that just isn’t true,” he explains. “All medical devices — old and new — need to be scrutinized and secured.”
In addition to patient safety, MSPs that manage medical device security could be on the hook for hefty HIPAA and regulatory fines and penalties if a breach happens on an unsecured device.
Hodges also advises that MSPs with medical portfolios take the following steps:
Audit: Take an inventory of all medical devices under your supervision.
“That means everything, even if you don’t think it is of consequence, you need to a central database of everything, from a medical wearable in someone’s home to your client’s inventory,” Hodges says, adding that it’s often a sprawling task because medical devices can be so spread out among many locations.
“People don’t want to undertake such a step because it takes time, but you can’t develop a plan unless you know your vulnerability,” he explains.
Plan: Once you have a list of all the medical devices under your purview, a plan needs to be developed to patch and monitor each device.
“It’s a big job, but the consequences of not doing it can be deadly and costly,” Hodges warns.
The FBI recommends additional steps, which include:
Endpoint protection: If supported by the medical device, use antivirus software on an endpoint. If not supported, provide integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network.
Vulnerability management: Work with manufacturers to help mitigate vulnerabilities on operational medical devices.
Training: Implement required training for employees to identify and report potential threats.
Hodges says the FBI’s recommendation of training is on point. “Training employees to recognize threats is one of the best and least costly investments an MSP or a company can make,” he advises.