Attention Florida Healthcare Facilities: FBI Issues a Warning About Unpatched Medical Devices

Medical devices and other connected hospital equipment, for all their benefits, have long been known to feature some serious vulnerabilities that often invite threats in. This was recently addressed in a warning published by the FBI. Let’s consider what the warning says about the risks these medical devices face, and what our neighbors here in Florida should do to protect their patients and practices.

What Makes Some Medical Devices Such a Risk?

The risk comes from a combination of two factors: the importance of these medical devices’ role in the healthcare process, and the unfortunate lack of attention that many IoT (Internet of Things) devices (including those intended for the medical field) ultimately receive.

One of our contemporaries here in Miami, cybersecurity expert William Hodges, summed up the issue quite succinctly:

“Wearable devices are often rushed to market, with little thought to cybersecurity. A company wants to beat others to market with that first IoT heart monitor or blood pressure cuff, yet the price they pay is often in cybersecurity vulnerability.”

This is Exactly the Issue the FBI’s Warning Addressed

In its private industry notification, Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities, the Federal Bureau of Investigation explores the threat. Basically, while the hardware remains in use for decades, the software that powers this hardware should not, at least, not without patches and updates being faithfully applied—but it often still does.

According to Hodges, this was (at least initially) by design.

“Some medical devices are programmed and designed to last decades, and a hacker who couldn’t have breached the device ten years ago may have no problem doing so now.”

The addition of the IoT also increases the complexity of many medical systems, with many different devices present that are beholden to different standards and the regulations dictating how these devices are to be configured and maintained are lacking.

This All Contributes to Some Frightening Stats from the FBI

You may be wondering what exactly a cyberattack that targets healthcare-dedicated IoT devices could do. The FBI cites a few reports that make it only too clear how important it is for a healthcare organization to secure its entire network—including the IoT devices utilized in patient care.

For instance, a report compiled just this year identified the types of medical devices that are susceptible to these attacks. Let me ask you this: how accurately could you provide the proper patient care if a patient’s insulin pump, intracardiac defibrillator, or pacemaker was under a cybercriminal’s control? Not very accurately, I’d imagine, and all because the device itself wasn’t properly patched and updated.

It gets worse, too: a report from 2021 found that there was an average of 6.2 vulnerabilities per medical device, and another report compiled in January of this year found that just over half—53%—of connected medical devices in hospitals had critical vulnerabilities, and a third or so of healthcare IoT devices have some form of critical risk that could impact their functionality.

What the FBI (and We) Recommend

Whether you’re securing the medical devices that are directly administering patient care or trying to protect the data that these patients entrust to you, there are some steps that will prove effective as a means of reducing the risk of these impacts.

1. It is recommended that all available endpoint protection is applied to your medical devices, whether that’s a cyber security agent or at least an antivirus installed natively or intensive verification measures each time it is connected to the network.
2. All medical device data should be encrypted.
3. All medical devices should have some form of endpoint detection and response software keeping an eye on them.
4. Sufficiently complex and unique passwords should be used to access each medical device.
5. An inventory management system should be implemented to keep track of all devices and software and ensure that all proper maintenance is performed in a timely manner.
6. If a medical device is affected by an attack but cannot be replaced, it needs to either be quarantined from the network or have all its network activities closely audited.
7. Attention should be given to vendors to ensure that any vulnerability disclosures aren’t missed.
8. All devices should be scanned for vulnerabilities and threats before being added to the operational network.
9. All employees should be trained to spot various potential threats, especially phishing and social engineering efforts. This is another point that Hodges particularly supports, as it is both effective and inexpensive for a company to carry out.

We can help you accomplish all of this and more with our managed IT service offering. Learn more by giving us a call at (888) 548-9511.