FBI Warns of Cyberthreats to Outdated Medical Devices

A recent announcement from the FBI warns healthcare organizations of cyberattacks targeting medical devices, mainly legacy products. The FBI recommends that organizations take measures to identify vulnerabilities and continuously secure the equipment.

Cyberattacks on Operational Technology (OT) such as medical devices are steadily increasing. A 2021 SANS survey shows that 48% of participants don’t know whether or not their OT environment was compromised within the last year.

A few weeks ago, the FBI issued a private industry notification where they identified a high number of vulnerabilities on archaic medical devices that run on antiquated software and devices that require appropriate security features.

The FBI stated, “Cyberthreat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.”

According to the advisory, attackers could exploit various devices like insulin pumps, cardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps.

Malicious actors could use those devices to give inaccurate readings, conduct drug overdoses, or manipulate information that will endanger patient health.

MedCrypt’s Senior Director of Cybersecurity, Naomi Schwartz, says that outdated medical devices represent a “minefield” of concerns.

Schwartz states that high-risk devices like infusion pumps are only one of many to consider.

“Losing some or all of a hospital’s radiology systems can lead to a cascading impact in a hospital setting where patients must be moved to other facilities in order to triage/continue treatment plans,” says Schwartz, who served as a premarket device review and safety officer at the U.S. Food and Drug Administration before joining MedCrypt.

“Some devices may act as conduits into the hospital or healthcare delivery organization’s network that lead to more widespread threats like network shutdown or ransom. This is an area that requires additional consideration throughout the larger industry. There’s not a good answer.”

Long-Standing Issue

The FBI did not confirm any new threats leading the bureau to issue the warning about outdated medical device cybersecurity issues, considering that these threats have been a concern in the healthcare industry for years.

Information Security Media Group had no success contacting the bureau about additional information on the alert.

The Cybersecurity Infrastructure Security Agency, the FDA, and many other federal agencies are issuing regular alerts as more medical device vulnerabilities are discovered.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has also issued several advisories involving medical devices recently.

Together, the FBI, CISA, and the U.S. Treasury Department issued an advisory concerning the Korean State-sponsored “Maui” attacks targeting healthcare industries as well as equipment such as medical imaging systems.

LogRhythm’s Senior Threat Research Engineer, Sally Vincent, says medjacking is a very worrisome type of attack facing medical devices.

According to Vincent, “Often this type of attack is used to get personally identifiable information or create a pivot point to other devices. However, medjacking could easily be used to harm patient health.”

Vincent believes that the warning issued by the FBI was due to critical device vulnerabilities recently found in insulin pumps and other products.

Vincent says, “Most security problems that exist within medical devices come from development practices that don’t give security much consideration. This needs to change going forward,”

The FBI has recently mentioned several reasons why healthcare firms should take immediate action.

Independent cybersecurity research published in January 2022 was used by the FBI to point out that 53% of connected medical devices and other IoT devices in hospitals carried known critical vulnerabilities. The research also showed that nearly one-third of healthcare IoT devices have a high risk of potentially affecting the technical operations and functions of medical devices.

According to the FBI, the most common vulnerabilities and challenges in medical devices involve using standardized and specialized settings, the extensive number of devices running on a network, the lack of service-embedded security features, and no means to upgrade those features.

Steps to Take

The FBI recommends healthcare industries take several steps to better secure medical devices, spot vulnerabilities, and help reduce risk:

• When possible, the use of anti-malware software on endpoint devices. If the software is not supported, integrity verification should be provided by organizations whenever the devices are disconnected for service and before it is reconnected to the IT network
• Encrypting medical device data while in transit and at rest
• Improve medical device visibility and protection by implementing endpoint detection and response (EDR) and extended detection and response (XDR) products
• Ensure that all passwords for default devices are changed to more secure and complex passwords specific to each medical device
• Keeping an electronic inventory management system for all medical devices and associated software, including third-party software components, operating systems, version, and model numbers
• Using inventory management to spot critical medical devices, operational properties, and maintenance time frames
• Consider the replacement of all affected medical devices. If not possible, isolate vulnerable devices from the network and audit the device’s network activities
• Continuously monitor and review all medical device software vulnerabilities disclosures made by vendors and conduct independent vulnerability assessments
• Execute a routine vulnerability scan before installing any new medical device onto the operating IT network

What can Abacode do to help?

Abacode is innovating the industry by providing a more comprehensive/single-view approach to IT and OT cybersecurity and compliance. We address IT and OT security challenges for our customers by providing:

• Managed cybersecurity & compliance programs to get our clients to a secure and compliant state. Then provide ongoing management and support to ensure they maintain a state of continuous security and compliance
• 24/7/365 Security Operations Center (SOC) “eyes on glass” monitoring and threat detection of your IT and OT environments

Contact us to learn more about how we can help prevent these attacks from happening to your organization.