23 percent of medical devices have an IT security vulnerability that was listed in the US cybersecurity agency CISA's catalog of known and exploited vulnerabilities. This is what researchers from the New York IT security company Claroty, which specializes in industrial and Internet of Things (IoT) applications, discovered. Almost two thirds (63 percent) of the security gaps listed by CISA in the directory relate to networks such as those of hospitals or doctor's offices. This emerges from the “Healthcare 2023” report published by Claroty. Increasing networking has led to significant improvements in patient care, emphasizes Claroty head of research Amir Preminger. But it also requires an understanding of the vulnerability of the associated attacks.
Advertisement
For the report, the experts analyzed vulnerabilities in medical devices and incidents that they and other scientists observed and condensed them into a situation report. Information and insights from trustworthy open sources such as the National Vulnerability Database (NVD) as well as databases from CISA and the Healthcare Sector Coordinating Council Working Group were included. The aim was to show the status of networking of critical medical devices from imaging systems to infusion pumps with a focus on the USA and to shed light on the associated risks. In 2017, the US manufacturer St. Jude Medical had to update 450,000 pacemakers because they could be blocked via WiFi. Many such devices are in use worldwide.
According to the results, 14 percent of the connected medical devices and systems included are running operating systems that are no longer supported by the manufacturer or are at end of life. According to the study, “the vast majority” are Windows. But the range extends beyond Microsoft and includes Linux, mobile operating systems and outdated computers with Sun Solaris. 32 percent of the devices without support are imaging devices, including X-ray and MRI systems, which are essential for diagnosis and prescribed treatment. Surgical technical aids accounted for 7 percent.
Open wireless networks, remote access to critical systems
22 percent of the hospitals examined have connected routers that connect Wi-Fi hotspots for patients and visitors to internal networks. The researchers warn that attackers could quickly find and target some sensitive data in public WiFi. Cybercriminals also often use such access as a bridge to internal networks where patient care devices are located. 4 percent of the surgical devices whose failure became critical communicated via guest networks. 11 percent of patient devices such as infusion pumps and 10 percent of surgical devices contained security vulnerabilities that have a high probability of being exploited. The proportion is particularly high for operating systems that are no longer supported.
66 percent of the imaging devices, 54 percent of the surgical equipment and 40 percent of the devices used in patients were accessible remotely. These included defibrillators and associated gateways and robotic surgery systems, the failure of which could have fatal consequences. Not least because of numerous ransomware attacks on healthcare facilities, Preminger warned that hospitals and practices must develop policies and strategies “that emphasize the need for resilient medical devices and systems.” “Secure remote access, prioritization of risk management and segmentation” are essential.
(mack)