HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FBI Warns Healthcare Providers About Unpatched and Outdated Medical Device Risks

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning about the rising number of vulnerabilities in medical devices. If medical devices are not promptly patched and are running out of date software, malicious actors could exploit vulnerabilities and gain access to sensitive patient data or the networks to which the devices connect. With a foothold in the network, threat actors could conduct attacks that adversely impact the operational functions of healthcare facilities. Medical devices are often used to sustain patients with mild to severe medical conditions and attacks on those devices have the potential to cause serious harm to patients and even result in the loss of life.

The FBI says vulnerabilities in medical devices predominantly stem from device hardware design and device software management. When medical devices are operated in the default configuration, that often provides threat actors with an opportunity to exploit vulnerabilities. Devices with customized software can be difficult to patch, often requiring specialized procedures, which can slow down updates and leave vulnerabilities unaddressed for longer, increasing the window of opportunity for vulnerabilities to be exploited.

Medical devices have been developed to perform specific functions, but security was never a consideration because the devices were not considered to be a security threat. These devices are vulnerable and if exposed to the Internet could provide threat actors with an easy way to gain access to the devices, alter their functionality, or use them as a springboard to launch an attack on an organization.

The FBI cites a recent study that suggests 53% of network-connected medical devices and other IoT devices used in hospitals have known critical vulnerabilities that have not been addressed, with around one-third of healthcare IoT devices having a critical vulnerability that could affect the technical operation or functionality of medical devices. These devices include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, intrathecal pain pumps, and pacemakers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Another study suggests medical devices have an average of 6.2 vulnerabilities per device, and more than 40% of medical devices that have reached end-of-life are no longer receiving security patches and software upgrades to correct vulnerabilities, but those devices often remain in use despite the security risks involved.

Unpatched and outdated medical devices provide cyberattack opportunities, so it is vital that vulnerabilities are addressed and risk is reduced to a low and acceptable level. The FBI has made several recommendations for improving the security of medical devices:

  • Ensure endpoint protection measures are implemented including antivirus software and endpoint detection and response (XDR) solutions
  • Use encryption for sensitive data
  • Change all default passwords and set complex, unique passwords, and limit the number of logins per user
  • Ensure an accurate inventory is maintained of all devices, including the patching status, software version, and any vendor-developed software components used by the devices
  • Develop a plan for replacing medical and IoT devices prior to reaching end-of-life
  • Ensure vulnerabilities are promptly patched on all medical devices
  • Conduct routine vulnerability scans before installing any new device onto the operating network
  • Train employees to help mitigate human risks, including teaching employees how to identify and report threats, the attacks that target employees such as social engineering and phishing, and add banners to emails that come from external sources.

The FBI alert – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the full recommendations for mitigating vulnerabilities can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.