Medical devices are one of healthcare's biggest security challenges. A new FBI shows threat actors are increasingly targeting legacy devices. (Photo credit: "MRI" by Muffet is licensed under CC BY 2.0.)

Cyber threat actors are increasingly exploiting unpatched medical devices operating on outdated software and those with a lack of adequate security features, according to a new FBI private industry notification.

An increasing number of vulnerabilities have been identified on these vulnerable devices, where an exploit could impact data integrity and confidentiality, in addition to causing disruptions in operational functions and impacting patient safety.

For industry leaders, many of the listed medical device security risks may be familiar: hardware design and software management vulnerabilities, the use of standardized or specialized configurations, missing embedded security features, and the inability to upgrade those features. 

Further, some devices leverage customized software that requires special upgrading or patching procedures, which only compounds existing delays with patching in the healthcare environment. There is also the ecosystem to consider, often complex with a substantial number of devices.

“Medical device hardware often remains active for 10 to 30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities,” the alert reminds healthcare entities

For the FBI, the leading concerns center around legacy devices and the reliance on outdated software due to the lack of support, patches, or updates from manufacturers. As such, many devices are particularly vulnerable to cyberattacks.

Threat actors can easily exploit devices using default configurations and those not initially designed with security in mind. Citing several studies remarking on the prevalence of the targeting of devices, including insulin pumps, the FBI is urging healthcare providers to “actively secure medical devices, identify vulnerabilities, and increase employee awareness reporting.”

For John Riggi, American Hospital Association’s national advisor for cybersecurity and risk, the alert reiterates the need for Congress to pass the PATCH Act, lauded by industry stakeholders as an effort that would ensure medical device manufacturers implement increased cybersecurity requirements for their products to address longstanding reliance on outdated legacy tech.

Device vulnerabilities pose “a significant cyber risk to hospitals. In 2017, the FBI reported that the North Korean WannaCry global healthcare ransomware attack was fueled by vulnerabilities in medical devices,” Riggi said in a statement.

The PATCH Act would address many of the risks and vulnerabilities outlined in the FBI alert, requiring manufacturers to “monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device,” he added.

While awaiting the progress from the proposed bill, healthcare entities should ensure their business associate agreements with medical device and tech vendors have bolstered cybersecurity requirements, explained Riggi. The Healthcare and Public Health Sector Coordinating Council shared a guide to medical technology model contract language in March.

The FBI recommendations outlined in its industry notice can support provider organizations with the needed policies and security measures to better defend against these common risks. The recommendations are broken down into endpoint protection, asset management, identity and access management, employee training, and vulnerability management. 

Healthcare entities are also encouraged to provide the FBI with feedback on the medical device insights.