FBI warns of risks from uncorrected and obsolete medical devices


The FBI warns healthcare facilities of the risks associated with unpatched and obsolete medical devices.

Medical device security breaches could negatively impact healthcare facility operations, while affecting patient safety and data confidentiality and integrity, according to the FBI.

Flaws in the hardware design and software management of devices can lead to security breaches, especially if specific configurations are used, if built-in security features are missing or cannot be updated, or if there are has too many devices to manage.

Some medical devices can stay in use for up to 30 years, giving threat actors plenty of time to identify and exploit vulnerabilities, especially if the software using them has reached its end of life (EOL).

“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them particularly vulnerable to cyberattacks,” The FBI says.

In addition to running outdated software, these devices may use easily exploitable default configurations or custom software that lacks a proper implementation of vulnerability patches, or may be completely lacking in security, as they do not were not intended to be exposed to security threats.

As evidenced by recent reports, according to the FBI, more than half of medical devices and other Internet of Things (IoT) devices in hospitals are affected by known vulnerabilities, defibrillators, insulin pumps, mobile heart telemetry and pacemakers being among the most affected. types of devices.

The bureau recommends that organizations not only identify vulnerabilities in medical devices, but also actively secure those devices and train employees to report identified issues to help mitigate risk.

Organizations are advised to use endpoint protection wherever possible, encrypt medical device data, use unique and complex passwords for each medical device, maintain an inventory management system electronics to easily identify critical devices, perform routine vulnerability scans, and work with manufacturers to fix newly identified issues. vulnerabilities in a timely manner.

Related: Rapid7 reports multiple flaws in Sigma Spectrum infusion pumps

Related: Defending the Healthcare Security Landscape in the Age of Connected Devices

Related: Medical and IoT devices from many manufacturers affected by “Access:7” vulnerabilities

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:


About Author

Comments are closed.