63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) can be found on healthcare networks, while 23% of medical devices—including imaging devices, clinical IoT devices, and surgery devices—have at least one known exploited vulnerability, according to Claroty.
Traditionally, medical devices have replacement schedules based on mean times for component failures, and not on cybersecurity concerns. This has led to the continued use of vulnerable legacy devices, that if exploited could lead to negative patient outcomes.
Security risks in medical devices
The consequences of potential failures caused by cybersecurity incidents that affect end-of-life patient devices—including infusion pumps, network modules, gateways, incubators, cardiac rhythm management systems, mobility monitors, and others—can impact patient safety.
“Connectivity has spurred big changes in hospital networks, creating dramatic improvements in patient care with doctors able to remotely diagnose, prescribe, and treat with a never-before-seen efficiency,” said Amir Preminger, VP of research at Claroty. ”
“However, the increase in connectivity requires proper network architecture and an understanding of the exposure to attackers that it introduces. Healthcare organizations and their security partners must develop policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. This includes secure remote access, prioritizing risk management, and implementing segmentation,” added Preminger.
Securing networked medical devices requires a complex strategy of mitigation efforts, starting with installing endpoint protection agents on devices that support it. This, however, is a relatively small number; research reveals that only 13% of medical devices support endpoint protection agents.
Meanwhile, the research shows that 72% of medical devices are connected and communicating with the internet. Given the lack of support for endpoint agents, this puts the onus on defenders to accurately identify connected assets, and implement network security strategies such as segmentation to mitigate risk.
Critical medical assets found on hospital guest network
22% of hospitals have connected devices that bridge guest networks—which provide patients and visitors with WiFi access—and internal networks. This creates a dangerous attack vector, as an attacker can quickly find and target assets on the public WiFi, and leverage that access as a bridge to the internal networks where patient care devices reside.
In fact, research showed a shocking 4% of surgical devices—critical equipment that if they fail could negatively impact patient care—communicate on guest networks. Of all of the enclaves on a hospital network, clearly the guest network is the least secured and most exposed place for such critical devices to be connected.
14% of connected medical devices are running on unsupported or end-of-life operating systems (OSs). Of the unsupported devices, 32% are imaging devices, including X-Ray and MRI systems, which are vital to diagnosis and prescriptive treatment, and 7% are surgical devices.
The report examined devices with high Exploit Prediction Scoring System (EPSS) scores, which represent the probability that a software vulnerability will be exploited in the wild on a scale of 0-100. Analysis showed that 11% of patient devices, such as infusion pumps, and 10% of surgical devices contain vulnerabilities with high EPSS scores. Digging deeper, when looking at devices with unsupported OSs, 85% of surgical devices in that category have high EPSS scores.
This research examined which medical devices are remotely accessible and found those with a high consequence of failure, including defibrillators, robotic surgery systems, and defibrillator gateways, are among this group. Research also showed 66% of imaging devices, 54% of surgical devices, and 40% of patient devices to be remotely accessible.