To mitigate the rising number of identified cyber vulnerabilities, the FBI has issued new guidelines for providers to protect their unpatched medical devices.

Running on outdated software and lacking adequate security features, these devices are more susceptible to attacks that pose risks to healthcare operations, patient safety and data privacy and integrity, said the agency in its report, Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities.

The majority of these flaws stem from hardware design and software management, with legacy devices especially at risk due to manufacturers not providing patches or updates for their outdated software. More than 40% at the end-of-life stage offer little to no security patches or upgrades, according to a 2021 research report cited by the agency.

“Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features,” wrote the FBI.

According to 2021 and 2022 reports, 53% of connected and other internet of things medical devices have known critical vulnerabilities, with approximately one-third having an identified risk that potentially affects technical operations and device functions.

An average of 6.2 vulnerabilities per medical device resulted in recalls for pacemakers, insulin pumps and other critical devices. Other susceptible technologies include intracardiac defibrillators, mobile cardiac telemetry and intrathecal pain pumps, with attackers manipulating these solutions to produce inaccurate readings and administer drug overdoses among other dangerous actions.

For endpoint protection, the FBI recommends investing in antivirus software, integrity verification, encryptions, and endpoint detection and response (EDR) and extended detection and response (XDR) solutions.

It also advises creating secure and more complex passwords; limiting login attempts; maintaining an electronic inventory management system for devices and associated software; and using inventories to track critical devices and maintenance timeframes.

When purchasing devices, providers should consider replacing equipment affected by attacks, says the agency. “If replacing the medical device is not feasible, take other mitigation precautions, such as isolating the device from the network or auditing the device’s network activities.”

Working with manufacturers helps, as does conducting independent security assessments before installing new devices onto operating networks. Employees should also be trained to identify and report potential threats.

Health IT Homepage