According to a new report, the FBI has identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features. Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity. Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardised configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.
This comes after Proofpoint and Ponemon conducted research that found ransomware attacks are delaying procedures and tests, resulting in poor patient outcomes and increased complications from medical procedures. Eighty-nine percent of healthcare organisations surveyed have experienced an average of 43 attacks in the past 12 months — almost one attack per week — the report finds. The most common consequences of attacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of respondent healthcare providers and increased complications from medical procedures for nearly half.
The major technological innovations of the past decade – cloud adoption, big data, mobile apps and IoT — are all manifested in medical devices. As we think about medical device security, we must consider the entire software security supply chain in the overall design. This can be achieved by ensuring security is part of the design process from the ideation phase, implementing best-in-class vulnerability management processes to respond quickly to novel threats, and above all, training employees to protect against phishing attacks. The healthcare industry has a very low margin of error as any errors can lead to poor patient outcomes. A zero-trust approach towards security is needed to ensure that we alleviate stress on the already overworked healthcare workforce.
Software in medical domain has always taken a back seat because medical procedures are more important than software procedures. But in today’s world, gaps between the two are bridging. Software plays an increasingly important role as more medical devices run on software and becoming connected. This raises a question on the security of these devices, as it truly can be a life-or-death issue. Even small mistakes or overlooking of standards and procedures in place can cause a toll of life.
Security issues may pop-up because of multiple reasons, from the design angle to lack of accountability, including not enough testing or preventive measures. Additionally, timely patching and having a patch management policy in place is a bigger challenge than ever, and even software companies are struggling with it. The updating of the software can be done in various approaches. One can be following your regular update cycle or there can be a process which allows you to push intermediate updates. Ultimately, there has to be a strategy for you to be safe from such bugs either by updating your application to the latest safe version or putting in controls which can help you be safe from described attacks while waiting for your regular update cycle.
Patch management being one, the other important aspect is the requirement of proper process in place and adhering to it. These requirements should talk not only about implementation but to also perform significant testing as per defined test plans, manage the supply chain and have defined processes that needs to be in place from patch management to incident response respectively. While there is a lot going on in terms of security in the medical domain, there is still a long way to go and we need to catch up with these kind of events happening.