FBI Notifies Healthcare Companies Concerning the Risks of Unpatched and Out-of-Date Medical Devices

The Federal Bureau of Investigation (FBI) has given a private industry notification alert concerning the growing number of vulnerabilities in healthcare devices. When medical devices aren’t immediately patched and are operating on obsolete programs, malicious actors could take advantage of vulnerabilities and acquire access to sensitive patient data or the systems the medical devices connect to. With access to the system, threat actors can perform attacks that badly impact the services of healthcare companies. Medical devices are typically employed to keep patients with minor to critical medical conditions. Attacks on those healthcare devices can lead to critical injury to patients and even lead to the loss of life.

The FBI reveals that vulnerabilities in medical devices primarily come from device hardware design and device software control. Whenever healthcare devices are run in the normal configuration, that commonly offers threat actors a chance to exploit vulnerabilities. Gadgets with customized software could be complicated to patch, normally necessitating specialized procedures, which could slow down updates and vulnerabilities to remain unaddressed for much longer, raising the chances of exploiting the vulnerabilities.

Medical devices were designed to execute particular functions, nevertheless, security was in no way a consideration because the devices weren’t viewed as a security problem. These devices are susceptible and when exposed to the Net could allow threat actors to have a quick way to obtain access to the devices, modify their functions, or employ them as a springboard to kick off an attack on a firm.

The FBI cites the latest study that advises 53% of network-connected medical devices and other IoT devices utilized in hospitals have got recognized critical vulnerabilities that were not dealt with, with close to a third of healthcare IoT devices possessing a critical vulnerability that can have an effect on the technical operation or performance of healthcare devices. These devices consist of pacemakers, insulin pumps, mobile cardiac telemetry, intracardiac defibrillators, and intrathecal pain pumps.

A study indicates medical devices have about 6.2 vulnerabilities for each device. About 40% of medical devices that got to their end-of-life are not acquiring security patches and software program upgrades to resolve vulnerabilities, and usually continue to be utilized regardless of the security hazards

Unpatched and out-of-date medical devices produce cyberattack possibilities, thus it is important that vulnerabilities are resolved and risk is lessened to a low and acceptable point. The FBI offers a few pieces of advice for bettering the security of medical devices:

  • Be certain endpoint protection actions are in place which includes antivirus software programs and endpoint detection and response (XDR) solutions.
  • Implement encryption for sensitive records
  • Alter all default passwords and utilize challenging, unique passwords, and restrict the number of logins for every user
  • Make certain a detailed catalog is retained of all devices, which includes the patching status, application version, and any vendor-made software pieces employed by the devices
  • Make a plan for changing medical and IoT devices before reaching end-of-life
  • Make sure vulnerabilities are quickly patched on all healthcare devices
  • Carry out programmed vulnerability scanning prior to putting any new device onto the operating system
  • Educate employees to help minimize human problems, such as teaching people how to find and report dangers, the attacks that focus on staff members for example phishing, and social engineering attacks, and insert banners to email messages that originate from outside sources.

The FBI advisory РUnpatched and Outdated Medical Devices Provide Cyber Attack Opportunities Рand the entire instructions for mitigating vulnerabilities can be read on this link 

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA