FBI says majority of connected medical devices contain critical vulnerabilities

A majority of medical devices in the U.S. carry critical vulnerabilities that can result in “potential catastrophic impact to hospital operations and patient care,” according to a new Government Accountability Office report.

The report, published Thursday, says federal agencies are failing to provide healthcare providers and patients with adequate resources and information to address these flaws in medical devices.

Threat actors have not been widely known to exploit vulnerabilities in medical devices, according to the Department of Health and Human Services, but the GAO said it still considers such devices “a source of cybersecurity concern.”

Healthcare systems, patients and other key stakeholders have reported difficulties in understanding vulnerability communications from the federal government surrounding threats to medical devices, the report says.

According to the FBI, 53% of connected medical devices and internet of things devices in hospitals contain known critical vulnerabilities, and the average medical device contains more than six vulnerabilities. Critical medical devices – including pacemakers, insulin pumps, intracardiac defibrillators, mobile cardiac telemetry and intrathecal pain pumps – are the most affected.

The report details a potential scenario in which a threat actor gains unauthorized access to a healthcare provider’s computer network by exploiting a vulnerability and then takes command of a server to which a heart monitor is connected. The threat actor could manipulate permissions to take control of all heart monitors and power them off, putting patients at risk. The threat actor could then compromise other medical devices on the hospital network through a lateral attack.

The GAO found that medical devices commonly use insecure default configuration – such as factory settings or manufacturer administrative passwords, which can allow threat actors to gain unauthorized access, inject data and execute commands. The report also says that legacy devices built decades ago “may have not been designed with cybersecurity in mind” and as a result it “may be difficult to secure them in a modern environment.”

The GAO directed the Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency to update a five-year-old agreement on security guidance for device manufacturers, public alerts regarding known vulnerabilities and more.

The report says that the agreement failed to address a variety of cybersecurity practices for medical devices and needs to be updated to reflect organizational and procedural changes.

Recent legislation has given the Food and Drug Administration the authority to establish cybersecurity requirements for medical devices. Medical device manufacturers are required to submit their plans to monitor, identify and address cybersecurity vulnerabilities for all new medical devices introduced to consumers as of March 2023. BankInfoSecurity