1 in 5 Connected Medical Devices Run On Unsupported Operating Systems

April 24, 2023 - New data from asset visibility and security company Armis found that 1 in 5 connected medical devices run on unsupported operating systems (OS). To inform its research, Armis analyzed data collected by its Asset Intelligence and Security Platform, which tracks more than 3 billion assets.

As previously reported, outdated operating systems remain a top medical device security challenge as healthcare organizations continue to rely on legacy devices. As old Windows versions get phased out, devices may not be receiving key security updates.

In healthcare, many medical devices remain in use for a decade or longer. Replacing expensive devices every time an operating system goes out-of-date is not a sustainable strategy, but vulnerable devices may leave organizations open to increased security risks.

The report also found nurse call systems to be the riskiest Internet of Medical Things (IoMT) device. Nurse call systems give providers the ability to maintain communication between patients and providers on the hospital floor.

According to Armis data, 39 percent of analyzed nurse call systems have critical severity unpatched Common Vulnerabilities and Exposures (CVEs), and 48 percent of nurse call systems have unpatched CVEs of varying severity levels.

Infusion pumps and medication dispensing systems followed behind nurse call systems, with 27 percent and 4 percent having critical severity unpatched CVEs, respectively. It is important to note that 86 percent of medication dispensing systems had unpatched CVEs, beyond just the critical severity vulnerabilities. Even low-to-medium-severity vulnerabilities may cause disruptions in care.

What’s more, 32 percent of medication dispensing systems run on unsupported versions of Windows, Armis discovered, further exemplifying the prevalence of outdated operating systems in medical environments.

In terms of traditional IoT devices, Armis found IP cameras, printers, and VoIP devices to be among the riskiest devices in clinical environments.

“These numbers are a strong indicator of the challenges faced by healthcare organizations globally. Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” Mohammad Waqas, principal solutions architect for healthcare at Armis, said in a press release.

“Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”

In addition to recently passed legislation that will set stricter guidelines for the security of medical devices, healthcare organizations should consider network segmentation and zero trust strategies to mitigate risk.