There has been a 59% increase in vulnerabilities in medical devices and the software applications on which they run, according to recent research by the Health Information Sharing and Analysis Center (Health-ISAC), Finite State, and Securin.
Medical devices, such as pacemakers, infusion pumps, and monitoring systems, are used for monitoring patients and managing care. Vulnerabilities in these devices and the software on which the devices operate can therefore have serious consequences. If vulnerabilities are exploited, malicious actors could cause the devices to malfunction, which could disrupt patient care, result in delays to treatment, and put patients at risk. Threat actors could also exploit vulnerabilities to steal sensitive patient data or use the devices as a launchpad to attack the networks to which medical devices connect. Cybersecurity firms report that hacking groups, including ransomware gangs, are increasingly targeting vulnerabilities in their attacks on healthcare organizations.
The findings of the research were published in the 2023 State of Cybersecurity for Medical Devices and Healthcare Systems report. The researchers examined 966 medical products and identified 993 vulnerabilities, which represents a 59% increase in vulnerabilities since 2022. 160 of the vulnerabilities have already been weaponized and have Proof-of-Concept exploits in the public domain, 101 are trending in the wild, and 7 of the vulnerabilities are already being exploited by Advanced Persistent Threat (APT) groups such as BrownFox, EmissaryPanda, and others. Ransomware groups are exploiting 4 of the identified vulnerabilities. 43 of the identified vulnerabilities are remote code execution or privilege escalation flaws, which are actively sought by threat actors. That’s a 437% increase in RCE/PE flaws since 2022.
“Healthcare organizations must prioritize cybersecurity measures, employ robust cybersecurity practices, conduct regular risk assessments, and stay updated on the latest security threats and technologies to proactively protect against cyber threats,” said Phil Englert, Health-ISAC’s VP of Medical Device Security. “Health-ISAC focuses on enhancing cyber resilience within the global healthcare sector by facilitating collaboration, sharing threat intelligence, developing and sharing best practices, and providing resources and support to its members to build resilience within member organizations and the healthcare community as a whole.”
To address the problem and prevent medical device vulnerabilities from being exploited, healthcare organizations should conduct regular penetration tests and vulnerability scans to identify vulnerabilities that can be exploited. Identified vulnerabilities should be prioritized and patched promptly, and mitigations implemented when immediate patching is not possible. The report authors recommend using binary analysis tools to create a Software Bill of Materials (SBOM) to identify vulnerabilities in components in firmware and software to allow vulnerabilities to be identified and addressed.