- Nurse call systems, infusion pumps and medication dispensing technologies are the riskiest medical devices with Internet connectivity, according to security company Armis.
- The conclusion is based on an analysis of common vulnerabilities and exposures (CVEs). Armis’ assessment found 39% of nurse call systems and 27% of infusion pumps have unpatched critical severity CVEs.
- The report comes as the U.S. Food and Drug Administration prepares to start requiring medical device makers to provide cybersecurity information as part of their pre-market submissions.
The Internet of Medical Things (IoMT) has enabled medical devices to transmit data and physicians to remotely adjust settings to tailor treatments. However, connecting medical devices to the Internet has also created cybersecurity risks, as is shown by the steady stream of reports of vulnerabilities that could allow hackers to access personal health data and interfere with treatment.
"With increasingly connected care comes a bigger attack surface.”
Principal solutions architect for healthcare at Armis
“Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” Mohammad Waqas, principal solutions architect for healthcare at Armis, said in a statement.
Seeking to identify the devices that pose the biggest risks to healthcare systems, Armis analyzed data in its security platform. The analysis showed nurse call systems and infusion pumps have the highest number of severely vulnerable unpatched CVEs.
Medication dispensing systems have far fewer so-called “critical severity” unpatched CVEs, at 4%, but are beset by less-severe problems. Armis found 86% of the systems have unpatched CVEs of any severity, compared to 48% of nurse call systems and 30% of infusion pumps.
Almost one-third, 32%, of the medication dispensing systems run on unsupported versions of Windows. Overall, 19% of devices are running unsupported versions of operating systems. Some medical devices have lifespans that far exceed the amount of time that software providers support operating systems, making outdated versions a key cybersecurity concern.