63% of Identified Exploited Vulnerabilities are in Hospital Networks

by | Mar 23, 2024

Each regular U.S. hospital has 10 to 15 medical devices, so this means a 1,000-bed hospital can have about 15,000 medical devices, which considerably increases the attack surface. Medical devices may include clinical IoT devices, imaging devices, and surgery devices. A threat actor can exploit a vulnerability in any of those medical devices to acquire access to the internal system and sensitive information, particularly vulnerabilities in internet-linked devices.

The cyber-physical systems (CPS) protection firm Claroty performed a research study publicized in Claroty’s State of CPS Security Report: Healthcare 2023 Report. Based on that report, hospitals are not updating their medical devices. The researchers discovered that 63% of the vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog are present in healthcare systems, while 23% are found in medical devices. Then, 14% of medical devices use an unsupported or legacy operating system.

The research discovered that 22% of hospitals use connected devices that link guest systems and internal systems, while 4% of the medical devices employed in surgeries are accessible from guest systems at hospitals. Guest systems give visitors and patients Wi-Fi access and they are usually the least protected and the most vulnerable location for connecting medical devices. The researchers investigated medical devices that are wirelessly accessible and discovered a lot of these devices have a high failure outcome like robotic surgery systems, defibrillators, and defibrillator gateways. Devices that are remotely accessible were: 40% of patient devices, 54% of surgical devices, and 66% of imaging devices.

The Exploit Prediction Scoring System (EPSS) is a data-dependent system for determining the probability of exploitation in the wild of a software vulnerability. The researchers analyzed devices that have high EPSS scores and discovered that 10% of surgical devices and 11% of patient devices, like infusion pumps, have vulnerabilities. 85% of devices using outdated operating systems that are found to have vulnerabilities have high EPSS scores.

Updating medical devices is not easy. Because medical devices are always being used, it follows that updating their software program or firmware and applying patches to those devices are briefly inaccessible. Hospitals should likewise take care of 360 medical device manufacturer (MDM) patch certification applications to satisfy compliance prerequisites and confirm that products offer fair protection against threats. Although 93% of critical vulnerabilities included in CISA’s KEV Catalog may be repaired using an operating system update or seller patch, it will usually take months for MDMs to approve a patch before using it on a personal device. At that time, devices are prone to attack. One more problem with protecting medical devices is that hospitals frequently don’t have a total and updated listing of all medical devices linked to the system, and defenders are unable to properly secure devices that they can’t see.

Claroty gives the following suggestions to hospitals:

  • Create cybersecurity guidelines and tactics that emphasize the requirement for long-lasting medical devices and systems that could stand up to attacks.
  • Restrict remote access to endpoints
  • Protect remote access using the appropriate provision of credential
  • Enable multifactor authentication
  • Control third-party connections from contractors and vendors
  • Conduct standard and continuous vulnerability checking of assets that are open to the internet

Hospitals should have full visibility into the medical units linked to their systems. Inventories should include a list of assets that are internet-dependent. Defenders could then prioritize patching those resources because they are the ones that are probably to be attacked by threat actors. Doing the above can help hospitals attain HIPAA certification.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy