The FBI has identified an alarming increase in cyber threats against medical devices due to outdated software and security. These vulnerabilities can directly impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.
The Threat
Medical device hardware often remains active for 10-30 years, but underlying software life cycles range from a couple of months to the device's maximum life expectancy, allowing cyber threat actors to discover and exploit vulnerabilities. Legacy medical devices contain outdated software and are especially vulnerable to attacks.

Additionally, devices used with manufacturers' default configurations, customized software, and those not initially designed with security in mind pose additional vulnerabilities. Unfortunately, many medical devices exhibit these vulnerabilities and can impact machines used to sustain patients with mild to severe medical conditions.

Research from cybersecurity firms found that 53% of connected medical devices and other IoT devices in hospitals had known critical vulnerabilities, potentially disrupting the technical operation and functions of medical devices. Devices susceptible to cyber-attacks include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. Attackers who compromise these devices can give inaccurate readings, administer drug overdoses, or endanger patient health.
What to do
To mitigate the risks posed by medical devices, the FBI recommends considering the following actions:

•  Endpoint Protection
a) Use antivirus software on supported medical devices.
b) Verify integrity before reconnecting unsupported devices to the IT network.
c) Encrypt medical device data in transit and at rest.
d) Utilize Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions for increased visibility and protection.

Identify and Access Management
a) Change default passwords to secure, complex passwords specific to each device and user.
b) Limit the number of login attempts per user.
Asset Management
a) Maintain an electronic inventory management system for all medical devices and associated software, including vendor-developed components, operating systems, versions, and model numbers.
b) Use inventory results to identify critical devices and maintenance timeframes.
c) Consider replacement options for affected devices or isolate them from the network.

Vulnerability Management
a) Work with manufacturers to mitigate vulnerabilities in operational devices.
b) Monitor and review software vulnerabilities disclosures by vendors and conduct independent vulnerability assessments.
c) Conduct routine vulnerability scans before installing any new medical device onto the IT network.
For Employees
• Implement required training for employees on how to identify and report potential threats, including insider threats and attacks targeting employees.
• Phishing, social engineering, and spoofing are common techniques used by hackers to compromise the accounts or credentials of employees. To mitigate these risks, it's important to consider implementing email alert banners for all external email exchanges.

Reporting 

The FBI urges those in danger to report suspicious or criminal activity to their nearest FBI field office. Visit www.fbi.gov/contact-us/field-offices to locate your local office or report online here www.ic3.gov. Reports should include date, time, location, activity type, number of people involved, equipment used, organization name, and a point of contact.

 

By taking these actions, healthcare facilities can actively secure medical devices and identify vulnerabilities to protect patient safety, data confidentiality, and data integrity.

Investing in these measures doesn't have to break the bank, the benefits of protecting against employee targeted attacks far outweigh the costs of implementing protective measures. Click here to take our Free Cybersecurity Assessment or contact us to schedule a free 10 minute call. Stay vigilant and help keep your community safe.