The U.S. Federal Bureau of Investigation has issued a warning that unpatched and outdated medical devices are providing cyberattack opportunities to hackers.

In a Private Industry Notification issued Sept. 12, the FBI said it has identified an increasing number of vulnerabilities from unpatched medical devices that run outdated software and lack adequate security features.

While noting that medical device hardware often remains active for 10 to 30 years, underlying software lifecycles specified by the manufacturer can range from a couple of months to maximum life expectancy, allowing threat actors lots of time to discover and exploit vulnerabilities. Legacy medical devices are said to contain outdated software because they don’t receive manufacturer support for patchers or updates, opening the door to attackers.

In addition to software issues, other medical devices were found to have vulnerabilities that include being set to a default configuration, making them easily exploitable. Devices with customized software were noted to be susceptible because of issues with vulnerability patching, along with devices that were not initially designed with security in mind.

The FBI recommends that healthcare providers identify vulnerabilities and increase employee awareness reporting. Providers should implement endpoint protection, such as antivirus software, encrypt medical device data while in transit and at rest and use endpoint detection and response and extended detection and response solutions.

Providers should also apply identity access and management, ensuring default passwords are changed and, if supported, limit the number of login attempts per user. Asset management, including maintaining an electronic management system, is also recommended, along with vulnerability management to mitigate vulnerabilities on operational medical devices.

“Unfortunately, there’s a still a huge lack of measures being taken at hospitals for security and the cybercriminals are taking full advantage of all the connected medical devices that are used within the facilities,” Szilveszter Szebeni, chief information security officer of encryption-based security solutions company Tresorit AG, told SiliconANGLE.

Noting that when buying medical equipment, the buying criteria focuses on how it can improve patients’ lives and help medical staff, Szebeni believes information technology security should be an essential part of the buying criteria as well. “Only then will manufacturers consider and prioritize security as a process that will enable hospitals and medical institutions to patch software rapidly and easily without risking any unexpected failures or massive breaches,” Szebeni said.

Melissa Bischoping, director and endpoint security research specialist at cybersecurity and systems management firm Tanium Inc., noted that the purchase and implementation of new medical technology must come with a plan for ongoing care and maintenance of the device that includes support for vulnerabilities.

“This kind of support and maintenance should include both the hardware, the software, and the server or workstation operating system that the software resides on,” Bischoping said. “For legacy devices still in production environments that are too costly to replace quickly, this underscores the need for network segregation and monitoring of the traffic to and from those devices. This is a massive technical debt problem that cannot be solved with risk acceptance or assuming that the devices are less connected because they are older.”

Photo: Defense.gov