Healthcare IT vulnerabilities increased from 624 in 2022 to 993 this year

Researchers found that vulnerabilities for the software and firmware powering medical devices and other health IT applications increased significantly – and nearly four times as many of these vulnerabilities are being weaponized compared to last year.

The 2023 State of Cybersecurity for Medical Devices and Healthcare Systems report, a collaboration of the Health Information Sharing and Analysis Center with Securin and Finite State, examined the critical and high-rated vulnerabilities that put the underpinning software and firmware of connected medical devices and healthcare applications at greater risk than they have ever been before.

Researchers found that healthcare IT vulnerabilities increased from 624 in 2022 to 993 this year. Of these vulnerabilities, 160 are now weaponized, compared to 43 last year.

Why it matters
According to the report, released today, the evolving nature of cybersecurity threats that healthcare organizations face drives the need “to shed light on depth and breadth of challenges that exist to secure the healthcare ecosystem.”

The top recommendation coming out of this research analyzing credible public disclosures of cyber vulnerabilities specifically targeting medical devices, software applications and healthcare systems is to implement a regular penetration testing cadence or exposure assessment.

The report also offers recommendations on patching known risks, binary analysis to generate a software bill of materials for firmware products and mandating security by design.

The collaborators wanted “to emphasize the necessity of robust cybersecurity measures to safeguard sensitive medical data and ensure the continuity of essential healthcare services.”

They found that vulnerabilities crossed product types, with software applications accounting for 64% of vulnerabilities, hardware 27% and operating systems 9%.

While all the vulnerabilities disrupt essential health services, H-ISAC and its collaborators were quick to note that “vulnerabilities in healthcare hardware can pose serious risks, including compromised patient care, operational disruptions and loss of trust.”

The research assessed a total of 117 medical device and healthcare application vendors along with their 966 products. Healthcare devices were divided into classes by risk level:

• Low-risk devices that have minimum potential to cause patient harm.
• Moderate-risk devices that require more stringent regulation.
• High-risk devices that sustain or support patient life.

After classifying healthcare IT – healthcare operations software, applications and infrastructure – separately, researchers determined it is the category with the largest number of vulnerabilities at 741. Class 2 followed further behind with 292 vulnerabilities, and a subset within moderate-risk medical devices – medical monitoring/telemetry – accounted for 129 vulnerabilities. Researchers counted 25 Class 1 medical device vulnerabilities and two in Class 3.

They also looked at advanced persistent threat group associations and ransomware associations.

These are the key research findings:

• 993 vulnerabilities span 966 healthcare IT products, representing a 59% increase from 2022.
• 160 vulnerabilities are weaponized, meaning they have a working proof of concept that demonstrates how an attacker could exploit them.
• 43 vulnerabilities are categorized as Remote Control Execution/Privilege Escalation exploits, up 437%.
• Seven vulnerabilities are exploited by Advanced Persistent Threat Groups, and four of these are associated with ransomware.

The larger trend
The American Hospital Association and other organizations have been calling for greater federal support for cyberterrorism.

“Defending against these types of attacks is a critical public health and safety issue that should not be solely shouldered by private-sector organizations given the impact on national security,” Stacey Hughes, executive vice president of government relations and public policy for AHA, wrote to Sen. Mark Warner, D-Va., after he published his Cybersecurity is Patient Safety policy paper.

With the passage of the 2022 Omnibus Appropriations Act, the U.S. Food and Drug Administration has legislative authority over medical device manufacturers.

The health tech industry still needs to work through creating SBOMs, said MITRE’s Matt Weir, principal cybersecurity engineer, and Medtronic’s Matt Russo, senior director of product security, during a medical device security webinar NetSPI hosted in April.

Meanwhile, if it’s feasible, there should be one team dedicated to scanning devices as a centralized function with a distributed model, Curt Blythe, director of product security at Abbott, advised.

On the record
“The danger of cyber attacks targeting healthcare is very real,” H-ISAC and its collaborators said in the 2023 State of Cybersecurity for Medical Devices and Healthcare Systems.

“As the healthcare industry continues to digitize, cyber threats are becoming increasingly sophisticated, putting the privacy and safety of patients at risk,” said Kiran Chinnagangannagari, CTO of Securin, in a statement.

“Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security,” said Larry Pesce, director of product security research and analysis at Finite State. “The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety.” Healthcare IT News