Each regular U.S. hospital has 10 to 15 medical devices, so this means a 1,000-bed hospital can have about 15,000 medical devices, which considerably increases the attack surface. Medical devices may include clinical IoT devices, imaging devices, and surgery devices. A threat actor can exploit a vulnerability in any of those medical devices to acquire access to the internal system and sensitive information, particularly vulnerabilities in internet-linked devices.
The cyber-physical systems (CPS) protection firm Claroty performed a research study publicized in Claroty’s State of CPS Security Report: Healthcare 2023 Report. Based on that report, hospitals are not updating their medical devices. The researchers discovered that 63% of the vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog are present in healthcare systems, while 23% are found in medical devices. Then, 14% of medical devices use an unsupported or legacy operating system.
The research discovered that 22% of hospitals use connected devices that link guest systems and internal systems, while 4% of the medical devices employed in surgeries are accessible from guest systems at hospitals. Guest systems give visitors and patients Wi-Fi access and they are usually the least protected and the most vulnerable location for connecting medical devices. The researchers investigated medical devices that are wirelessly accessible and discovered a lot of these devices have a high failure outcome like robotic surgery systems, defibrillators, and defibrillator gateways. Devices that are remotely accessible were: 40% of patient devices, 54% of surgical devices, and 66% of imaging devices.
The Exploit Prediction Scoring System (EPSS) is a data-dependent system for determining the probability of exploitation in the wild of a software vulnerability. The researchers analyzed devices that have high EPSS scores and discovered that 10% of surgical devices and 11% of patient devices, like infusion pumps, have vulnerabilities. 85% of devices using outdated operating systems that are found to have vulnerabilities have high EPSS scores.
Updating medical devices is not easy. Because medical devices are always being used, it follows that updating their software program or firmware and applying patches to those devices are briefly inaccessible. Hospitals should likewise take care of 360 medical device manufacturer (MDM) patch certification applications to satisfy compliance prerequisites and confirm that products offer fair protection against threats. Although 93% of critical vulnerabilities included in CISA’s KEV Catalog may be repaired using an operating system update or seller patch, it will usually take months for MDMs to approve a patch before using it on a personal device. At that time, devices are prone to attack. One more problem with protecting medical devices is that hospitals frequently don’t have a total and updated listing of all medical devices linked to the system, and defenders are unable to properly secure devices that they can’t see.
Claroty gives the following suggestions to hospitals:
- Create cybersecurity guidelines and tactics that emphasize the requirement for long-lasting medical devices and systems that could stand up to attacks.
- Restrict remote access to endpoints
- Protect remote access using the appropriate provision of credential
- Enable multifactor authentication
- Control third-party connections from contractors and vendors
- Conduct standard and continuous vulnerability checking of assets that are open to the internet
Hospitals should have full visibility into the medical units linked to their systems. Inventories should include a list of assets that are internet-dependent. Defenders could then prioritize patching those resources because they are the ones that are probably to be attacked by threat actors. Doing the above can help hospitals attain HIPAA certification.