Analysis
Attacks and Vulnerabilities
Critical infrastructure
End Point (HMI) security
Medical
News
OT Network security
Patch Management
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape
Vulnerabilities

FBI says unpatched, outdated medical devices raise cyber attack opportunities, affecting operational functions

September 13, 2022
FBI says unpatched, outdated medical devices raise cyber attack opportunities, affecting operational functions

The Federal Bureau of Investigation (FBI) identified an increasing number of vulnerabilities posed by unpatched medical devices run on outdated software and devices that lack adequate security features. The agency said medical device hardware often remains active for 10 to 30 years. However, underlying software life cycles are specified by the manufacturer, ranging from a couple of months to maximum life expectancy per device allowing hackers time to discover and exploit vulnerabilities.

“Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity,” the FBI said on Monday in a Private Industry Notification. 

Recognizing that medical device vulnerabilities predominantly stem from hardware design and software management, the FBI said that routine challenges include using standardized and specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features. “Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyber attacks,” it added. 

Apart from outdated software, medical devices also exhibit additional vulnerabilities, such as devices used with the manufacturer’s default configuration are often easily exploitable by cyber threat actors, the FBI evaluated. It also includes devices with customized software, requiring special upgrading and patching procedures, delaying the implementation of vulnerability patching, and devices that were not initially designed with security in mind due to a presumption of not being exposed to security threats, it added.

The FBI further acknowledged that medical devices had known vulnerabilities that impact various machines used for healthcare purposes, including those that sustain patients with mild to severe medical conditions.

As of January this year, the FBI notification quoted a research report conducted by a cybersecurity firm that found 53 percent of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. “Approximately one-third of healthcare IoT devices have an identified critical risk potentially implicating technical operation and functions of medical devices,” it added.

The agency also cited a report in mid-2022 conducted by a healthcare cybersecurity analyst, which identified that medical devices susceptible to cyber attacks include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. “Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health,” the notification added. 

Lastly, the FBI pointed to a 2021 research report, wherein a cybersecurity firm assessed there is an average of 6.2 vulnerabilities per medical device, and recalls were issued for critical devices such as pacemakers and insulin pumps with known security issues, while more than 40 percent of medical devices at the end-of-life stage offer little to no security patches or upgrades.

The FBI called upon the industry to actively secure medical devices, identify vulnerabilities, and increase employee awareness reporting to help mitigate the risk posed by medical devices. The agency recommended endpoint protection, which, if supported by the medical device, uses antivirus software on an endpoint. If not supported, provide integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network. Additionally, organizations must encrypt medical device data while in transit and at rest, adopt endpoint detection and response (EDR) and extended detection and response (XDR) solutions that provide visibility on medical devices and offer protection. 

The agency also suggests exercising prudent identity and access management, which can be done by ensuring that default passwords are changed to secure and complex passwords specific to each medical device. In addition, if supported by a medical device, limit the number of login attempts per user. It also called for asset management by maintaining an electronic inventory management system for all medical devices and associated software, including vendor-developed software components, operating systems, versions, and model numbers. 

FBI also recommends vulnerability management by working with manufacturers to help mitigate vulnerabilities on operational medical devices. It also suggests monitoring and reviewing medical devices’ software vulnerability disclosures by vendors and conducting independent vulnerability assessments, and implementing a routine vulnerability scan before installing any new medical device onto the operating IT network.

The federal agency also advised training to help mitigate risks associated with employees. For example, it recommends implementing required training for employees to identify and report potential threats, including insider threats related to causing harm to the network or stealing information. In addition, the FBI suggested covering phishing, social engineering, and spoofing attempts to compromise accounts or credentials. Finally, as budget constraints allow, consider email alert banners for all email exchanges outside the organization.

Commenting on the FBI notification, John Riggi, American Hospital Association (AHA) national advisor for cybersecurity and risk, said that “this past June, the AHA issued a letter of support to Congress for pending legislation known as the PATCH Act. The letter echoed the need for medical device manufacturers to implement increased cybersecurity requirements for medical devices.” 

Riggi said that medical devices’ cyber vulnerabilities, often outdated legacy technology, pose a significant cyber risk to hospitals. “In 2017, the FBI reported that the North Korean WannaCry global health care ransomware attack was fueled by vulnerabilities in medical devices,” he added.  

“The pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third-party software,” according to Riggi. “In the interim, it is good practice to increase cybersecurity requirements in medical device and medical technology business associate agreements.”

In April this year, the U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) announced the availability of draft guidance. The document provides recommendations to the healthcare industry regarding cybersecurity device design and labeling. It also makes recommendations to be included in premarket submissions for devices with cybersecurity risks.

On the legislative side, the U.S. House of Representatives cleared legislation in June that puts into place appropriate cybersecurity requirements throughout the lifecycle of a cyber medical device. The bill also requires any manufacturer who submits a premarket submission for the cyber device to the U.S.  Food and Drug Administration (FDA) shall include all necessary details. The move will help ensure that the cyber medical device cybersecurity requirements are met, as determined to be appropriate to demonstrate a reasonable assurance of safety and effectiveness.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Xage’s Zero Trust Session Collaboration tool delivers remote access, collaboration across industrial frameworks
Xage announces AI-powered analytics and insight capabilities to boost zero trust access and protection
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst