Dive Brief:
- The FBI’s Internet Crime Complaint Center (IC3) has warned that medical devices that are outdated and/or lack appropriate safety features present cyber risks, affecting patient safety, personal data and hospital operations.
- IC3 said in a Monday report that along with outdated software, devices may be vulnerable due to default settings that are easily exploited, customized software that requires special patches which delay safety features, and products that were built without cybersecurity in mind.
- The report recommends using endpoint protection such as anti-virus software and data encryption, updating default passwords, managing assets making up the device, and monitoring for vulnerabilities.
Dive Insight:
The healthcare industry has been a victim of cyberattacks for years. Hospitals operations have been disrupted by attacks putting patient safety in jeopardy, and the U.S. Cybersecurity and Infrastructure Security Agency recently issued several safety alerts about medical devices.
Cyber experts have cautioned about the vulnerabilities of older legacy devices using outdated software and some built with little to no cyber protection in mind.
IC3 stated in the report that while device hardware can be used for as long as 10 or even 30 years, the underlying software life cycles are specified by manufacturers and can range from a few months to the full life expectancy of a device. This gives threat actors time to discover and exploit vulnerabilities.
“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyber attacks,” the report stated.
The FBI recommends that medical device makers create an “electronic inventory management system” for medical devices and associated software that includes vendor-developed software components, operating systems, versions and model numbers.
Listing the components of a device, including software components, has been a consistent suggestion for the device industry. The Food and Drug Administration requested a Software Bill of Materials (SBOM) in draft guidance for device makers in April. SBOMs are readable inventories of components in a specific medical device that includes components from the manufacturer and third parties.
While some experts contend that SBOMs will help identify potential vulnerabilities — in some cases allowing users like hospitals to know of threats in devices they were previously unaware of — others say that they could provide a hacker with the same information.
The report also recommends training on how to spot and report cyber risks, including attacks that target employees and insider threats from employees who are looking to cause harm.
As the FDA works to address cyber risks in devices even as attacks continue, experts have warned that the agency lacks the funding and a sufficient number of trained personnel to keep up with the threat.
Meanwhile, device makers are investing in cybersecurity measures, but there are still questions about whether the industry is addressing the issue with the appropriate level of caution.
ECRI, a nonprofit that evaluates medical devices for safety and efficacy, put cybersecurity at the top of its list of medtech hazards for 2022, reflecting the potential for vulnerabilities to harm patients.
But a recent survey of industry executives commissioned by the medtech security company Cybellum showed that while 99% of respondents said they had increased cybersecurity spending, 78% said they are doing the minimum to remain compliant and 80% said they view device security as a “necessary evil” enforced by regulators.
