Roughly a third of all connected devices have insecure defaults, such as no or weak password protection or poor software design, that make them ripe for exploits.
Last week, the FBI’s Internet Crime Complaint Center issued a public warning claiming that they have “identified an increasing number of vulnerabilities posed by unpatched medical devices.” They stated that these devices, such as insulin pumps and pacemakers, are running outdated firmware. They also lack adequate security features, meaning that hackers could change device settings and create dangerous conditions for the patients who literally depend on them. All of this isn't a new problem, but the FBI's notice is a good reminder of how law enforcement might focus its attention in this area.
The warnings brought to light several issues that are unique to this particular industry. First, many devices are often used for more than a decade, while their firmware isn’t often updated (if at all) and patches are few and far between. Many hospitals and medical practice groups aren’t proactive with maintaining the software environment — or don’t even consider this as part of their responsibility. And about a third of all connected devices have insecure defaults, such as no or weak password protection or poor software design, that make them ripe for exploits.
The FBI notice cited a series of cybersecurity reports that illustrate how dire things have gotten: Many devices have multiple vulnerabilities and 40% are nearing their end-of-life stage. Earlier this year, security researchers discovered that more than 100,000 infusion pumps were susceptible to two known vulnerabilities that were disclosed in 2019. The FDA recalled these pumps or components 16 different times over the past two years. Another report released last week found 89% of healthcare professionals surveyed have experienced at least one cyberattack in the last year, and many of these attacks caused treatment delays.
The FBI isn’t the only US federal agency concerned about this issue. Last year, we wrote about the Food and Drug Administration’s cybersecurity efforts and interviewed the then-interim director of medical device cybersecurity, Kevin Fu, who has since returned to academia. Fu was recently interviewed earlier this summer, saying, “Device makers have to choose to improve,” he was quoted in that piece, where he also bemoaned the lack of operational technology medical device cybersecurity experts. “We have to help not just manufacturers, but also regulators and healthcare delivery organizations to get access to this specially-trained talent.”
In April, the FDA updated its guidance for medical device cybersecurity, a document that was last published in 2018, along with creating a November 2011 playbook for threat modeling suggestions for the device makers. To help improve cybersecurity, we have written about various medical-related phishing and identity-based scams and have other suggestions to stay vigilant.
Back to the FBI notice: They issued several common-sense recommendations, including using antivirus and other endpoint protection software, encrypting traffic coming and going to the device, changing to stronger passwords, and using policies to detect potentially exploited devices. Also, medical providers should perform regular vulnerability scans across their operational IT network before connecting any new device.