Governance & Risk Management , Healthcare , Industry Specific
FBI Warns of Cyberthreats to Legacy Medical DevicesBureau Is Latest Federal Agency to Address Long-Standing, Growing Problem
The FBI is the latest federal agency warning healthcare sector entities of cyberattack threats to medical devices, especially unpatched and outdated products, recommending that organizations take steps to identify vulnerabilities and "actively secure" the gear.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The FBI in a private industry notification issued Monday says it has identified "an increasing number of vulnerabilities" posed by unpatched legacy medical devices that run on outdated software and devices that lack adequate security features.
"Cyberthreat actors exploiting medical device vulnerabilities adversely impact healthcare facilities' operational functions, patient safety, data confidentiality and data integrity," the FBI says.
Attackers could exploit an array of devices including insulin pumps, cardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, the advisory says.
Threat actors could manipulate devices to give "inaccurate readings, administer drug overdoses or otherwise endanger patient health," the alert warns.
Naomi Schwartz, senior director of cybersecurity, quality and safety at security firm MedCrypt, says legacy medical devices pose a "minefield" of concerns.
But high-risk devices such as infusion pumps are not the only ones to consider, she says.
"Losing some or all of a hospital's radiology systems can lead to a cascading impact in a hospital setting where patients must be moved to other facilities in order to triage/continue treatment plans," says Schwartz, who recently joined MedCrypt from the U.S. Food and Drug Administration, where she served as a premarket device reviewer and safety officer.
"Some devices may act as conduits into the hospital or healthcare delivery organization's network that lead to more widespread threats like network shutdown or ransom. This is an area that requires additional consideration throughout the larger industry. There’s not a good answer."
The FBI did not specify any particular new attack threat prompting the bureau to issue the alert about legacy medical device cybersecurity issues, given that healthcare entities have been dealing with these challenges for years.
The bureau did not immediately respond to Information Security Media Group's request for additional information about the alert.
Other federal agencies also have periodically issued advisories as medical device vulnerabilities are discovered, including the Cybersecurity Infrastructure Security Agency and the FDA.
Also, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has issued a number of advisories involving medical devices in recent months (see: HHS HC3 Warns Healthcare of IoT Device, Open Web App Risks).
Some of the government's recent medical device-related advisories also were issued jointly by several federal agencies.
A joint advisory in July from the FBI, CISA and the U.S. Treasury Department of the Treasury concerned Korean state-sponsored "Maui" ransomware attacks facing the healthcare sector and equipment such as medical imaging systems (see: Feds Warn Healthcare Sector of 'Maui' Ransomware Threats).
Sally Vincent, senior threat research engineer at security firm LogRhythm, says medjacking is a very worrisome type of attack facing medical devices.
"Often this type of attack is used to get personally identifiable information or create a pivot point to other devices," she says. "However, medjacking could easily be used to harm patient health."
Vincent suspects the alert from the FBI came in the wake of recent critical device vulnerabilities that have surfaced in insulin pumps and other products.
"Most security problems that exist within medical devices come from development practices that don't give security much consideration. This needs to change going forward," she says.
The FBI this week cited a number of reasons why healthcare sector entities should take immediate action.
For instance, the FBI referenced independent cybersecurity research from January that found that 53% of connected medical devices and other internet of things devices in hospitals contained known critical vulnerabilities. Also, approximately one-third of healthcare IoT devices have an identified critical risk potentially affecting the technical operation and functions of medical devices, according to the research, the FBI says.
Common types of medical device vulnerabilities and challenges involve the use of standardized and specialized configurations, the vast numbers of devices managed on a network, the absence of device-embedded security features, and the inability to upgrade those features, the FBI says.
Steps to Take
The FBI alert recommends healthcare entities consider taking a number of actions to better secure medical devices, identify vulnerabilities and help mitigate risks.
Those steps include:
- Using anti-malware software on an endpoint device, when possible. If not supported, organizations should provide integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network;
- Encrypting medical device data while in transit and at rest;
- Using endpoint detection and response and extended detection and response products to improve medical device visibility and protection;
- Ensuring default device passwords are changed to secure and complex passwords specific for each medical device;
- Maintaining an electronic inventory management system for all medical devices and associated software, including third-party software components, operating systems, version and model numbers;
- Using inventory management to identify critical medical devices, operational properties and maintenance time frames;
- Considering replacement options for affected medical devices as part of purchasing process, when feasible. Otherwise, isolate vulnerable devices from the network and audit the device's network activities;
- Monitoring and reviewing medical device software vulnerabilities disclosures made by vendors and conducting independent vulnerability assessments;
- Implementing a routine vulnerability scan before installing any new medical device onto the operating IT network.
In the meantime, the cybersecurity concerns involving legacy medical devices will persist, experts say.
Many medical devices hold sensitive patient data that may be leaked. Some of these devices could become unavailable during a ransomware or other type of cyberattack, and some of them are directly connected to patients, potentially putting individuals at risk for physical harm, says Daniel dos Santos, head of security research at security firm Forescout Technologies.
"Besides attacks that target those devices or their data directly, every vulnerable device on a network is a possible stepping stone for lateral movement or a possible point of persistence for an attacker on the network," he adds.
Legacy medical devices that have not been updated for security are one of the biggest ongoing concerns in healthcare and device security, says Bill Aerts, senior fellow and managing director at the Center for Medical Device Cybersecurity of the University of Minnesota.
"This is a challenge that is hard to address, but some progress is being made with new techniques," he says. "Virtually any planned attack could take advantage of old devices."
Many hospitals are still using some of the oldest equipment out there because the capital costs to replace them are so high, he says. "They try to extend the life of the devices for as long as possible."
In fact, the FBI says that many medical devices remain in use for 10 to 30 years.
Schwartz suggests that healthcare entities coordinate carefully with suppliers during installation of devices and periodically review older installs to see if actions can be taken today that were not considered when the device was first purchased.
"Proactively start to include cybersecurity risk criteria in your replacement planning process and define your cybersecurity requirements in the contracts for the new devices you are buying," she says.