Healthcare research report reveals exploitable vulnerabilities that allow hackers to breach devices, systems

A joint research project conducted by Health Information Sharing and Analysis Center (Health-ISAC), Finite State, and Securin exploitable vulnerabilities in software and firmware, which can be used by hackers to breach connected devices, software applications and healthcare systems. It also discovered nearly 1,000 vulnerabilities across 966 medical products. Such exposure to healthcare facilities have surged by nearly 60 percent since 2022, while 300 data breaches were reported in the first half of this year alone, as the healthcare sector is facing an unprecedented challenge in safeguarding sensitive information from malicious actors. 

The data published Tuesday disclosed 993 vulnerabilities, recording a 59 percent year-over-year increase from 2022, that lurk within these 966 medical products and devices, which can be exploited by attackers to target a healthcare facility. Data further revealed that of the 993 vulnerabilities, 160 are weaponized and 101 are trending in the wild.

Additionally, APT (advanced persistent threat) groups are exploiting seven, and four are associated with ransomware. These hackers stay hidden within a system to steal data, and the four vulnerabilities are associated with ransomware, a malicious virus that locks a user out of their system or encrypts data and demands a ransom for user retrieval.

“Cyber-attacks on healthcare systems can have broader implications for public health and national security,” Phil Englert, vice president for medical device security at Health-ISAC, wrote in the report titled ‘2023 State of Cybersecurity for Medical Devices and Healthcare Systems.’ “If hackers gain unauthorized access to medical records or alter patient data, it can result in misdiagnosis, incorrect treatment plans, or delayed care. In severe cases, patients’ lives could be at risk.” 

He added that protecting medical histories, test results, insurance details, and personal information is crucial to maintain patient privacy and confidentiality. “Breaches can lead to identity theft, fraud, or exposure to highly sensitive medical conditions. Cyber espionage or intellectual property theft can undermine medical research, stalling medical advancements.” 

He added that modern healthcare relies heavily on interconnected systems and medical devices. “If these systems lack adequate cyber security, they become entry points for intruders who can infiltrate the broader healthcare network.” 

“While the health sector has made much progress in improving cyber resilience over the last decade, the research and analysis in this report continue to shed light on the depth and breadth of challenges that exist to secure the healthcare ecosystem,” Englert commented. “Health-ISAC continues to build a global healthcare community to empower trusted relationships to prevent, detect, and respond to cybersecurity and physical security events so that organizations can focus on improving health and saving lives. Health-ISAC continues to team with leading security firms to provide valuable resources for our members to identify and secure their environments.”

“Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security,” Larry Pesce, director of product security research and analysis at Finite State, said in a media statement. “The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety.”

“As the healthcare industry continues to digitize, cyber threats are becoming increasingly sophisticated, putting the privacy and safety of patients at risk,” according to Kiran Chinnagangannagari, CTO of Securin. “It is important to understand and address these risks head on, to protect patients’ data and well-being.”

Furthermore, compliance is a key driver for healthcare organizations with regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the need to protect patient data. 

The research identified that a number of cyberattacks have had direct or indirect impact such as leaked personal information, disruption of care, and patient fatalities. “An example of leaked personal information can be seen from the attack on a health system attributed to Cl0p ransomware, which compromised the personally identifiable information (PII) of 1 million customers. Another consequence caused by cyberattacks is disruption of care for patients as noted by the American Medical Association after documenting the effects of ransomware on healthcare providers.”

It added that tragically, the consequences of these cyberattacks on healthcare institutions can be severe. “After a ransomware attack on a medical center, an infant died when neonatal staff were cut off from fetal heartbeat monitors caused by a network outage in the wake of the attack.”

The research revealed that software applications used in the healthcare sector account for the highest percentage (64 percent) of vulnerabilities found. Healthcare applications are crucial for managing patient care, appointment scheduling, and accessing medical records. Many medical devices (such as infusion pumps, pacemakers, and monitoring systems) also rely on software applications. Therefore, vulnerabilities in these applications can enable attackers to disrupt essential healthcare services, leading to delayed treatments or compromising the functionality of medical devices, potentially endangering patients’ lives.

Hardware vulnerabilities were the next largest group with 27 percent of vulnerabilities. Tools such as hardware are indispensable in the healthcare sector. These aid in patient care, diagnosis, treatment, and monitoring. From everyday computers to life-support systems, hardware improves medical capabilities and patient outcomes. However, vulnerabilities in healthcare hardware can pose serious risks, including compromised patient care, operational disruptions, and loss of trust.

Lastly, there are not as many operating system vulnerabilities with only 9 percent, but they are still present. These vulnerabilities leave an open door to manipulation of medical devices, unauthorized access to healthcare systems, and non-compliance with data protection regulations. 

In conclusion, the research estimates that the threat of cyber attacks targeting healthcare is very real and should be evaluated seriously. Given the potential for devastating consequences if successful, it is crucial for organizations to proactively address vulnerabilities in medical devices and applications used in the healthcare industry.

To protect against cyber attacks, there are several steps that healthcare organizations must take to implement a regular penetration testing cadence or exposure assessment. The move helps identify possible exposures in the attack surface, allowing organizations to address vulnerabilities before they can be exploited. The report also recommends prioritizing vulnerability patching based on known risks. By staying updated with the latest security vulnerabilities and promptly applying relevant patches, organizations can reduce the risk of successful cyber attacks.

Additionally, the report suggests incorporating binary analysis tools as part of the overall security strategy enables organizations to generate Software Bill of Materials (SBOM) and leverage the results for penetration testing. This helps uncover potential vulnerabilities and aids in securing the healthcare ecosystem. It also mandates vendors to follow ‘security by design’ methodology: With the FDA’s latest guidance emphasizing ‘security by design,’ it is essential for healthcare organizations to require their vendors to adopt this methodology. By incorporating security practices throughout the entire development lifecycle, from design to deployment, vendors can build more resilient and secure medical devices and applications. 

The healthcare sector continues to be a prime target for cyberattacks, posing potential consequences ranging from network disruptions to compromised medical equipment, which could lead to fatal outcomes. Last week, ransomware attacks have impacted healthcare systems across multiple locations in the U.S., resulting in delays in patient care and scheduled surgeries. These attacks have also forced the closure of some emergency rooms and the diversion of ambulances.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.