The FBI is warning the healthcare industry of risks associated with unpatched and outdated medical devices.
Medical device hardware often remains active for 10-30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities. Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyber attacks. In addition to outdated software, many medical devices also exhibit the following additional vulnerabilities:
Devices used with the manufacturer’s default configuration are often easily exploitable by cyber threat actors.
Devices with customized software, require special upgrading and patching procedures, delaying the implementation of vulnerability patching.
Devices not initially designed with security in mind, due to a presumption of not being exposed to security threats
Leaders at Tanium shared their insights on the risk and how organizations can protect themselves.
Melissa Bischoping, Director, Endpoint Security Research Specialist, Tanium:
“It's imperative that medical professionals, healthcare IT staff, and medical hardware and software developers think of their systems much like the human practice of medicine. You must have preventative care in the form of updates and ongoing maintenance of the devices, acute treatment in the form of security patches, as well as emergency triage and care in the face of critical vulnerabilities and zero days. The purchase and implementation of new medical technology must come with a plan for ongoing care and maintenance of the device that includes support for vulnerabilities. Importantly, this kind of support and maintenance should include both the hardware, the software, and the server or workstation operating system that the software resides on.
For legacy devices still in production environments that are too costly to replace quickly, this underscores the need for network segregation and monitoring of the traffic to and from those devices. This is a massive technical debt problem that cannot be solved with risk acceptance or assuming that the devices are less connected because they are older. Step one requires visibility of what devices you have - its the core principle of "you cannot protect what you don't know exists". Vendors must take responsibility and be held accountable to work with customers and provide clear, concrete guidance on exactly what network connections or security permissions are essential for functionality, what upgrades are available, and what paths forward exist for end-of-support hardware or software.
Medical providers must prioritize the budget, technical staffing, and planned upgrades to implement those security controls and maintenance as a critical human safety initiative. “
Christopher Hallenbeck, CISO, Americas, Tanium:
“Unless the FBI has run out of consequential things to do, they didn't write this out of boredom. Items like this that are notably missing a direct tie to threat actors and only talking about vulnerabilities suggests the FBI may be aware of threat actor interest through more sensitive intelligence reporting.
A P.I.N. (Private Industry Notification) is a "soft warning" intended to come well in advance of any anticipated adversary action. More strident, "multiple seal" (CISA,FBI,NSA) warnings tied to statements of adversary activity or intent will come out should the adversaries begin to make concrete moves in that direction. This is a "plan now and take action sooner rather than later" warning.
Arguably, healthcare facilities are caught in a Twilight Zone of Indecision due to worry of legal liability and/or regulatory entanglements. “
Shawn Surber, VP of Solutions Architecture and Strategy, Tanium:
“If we want to get a little aggressive in our response, I would add that there is an accountability problem in the medical device space in healthcare. In many cases, hospitals are not allowed - or believe that they're not allowed - to update, patch, or secure medical devices in their environment. Similarly, manufacturers have significant regulatory requirements for their software updates which makes those updates infrequent and limited in scope.
While patient safety must remain the top priority, the lack of updates on medical devices is creating an unacceptable level of risk to the entirety of hospital environments that must be addressed.”
###