Cybersecurity News

FBI Warns of Patient Safety, Security Risks Associated With Legacy Medical Devices

Unpatched and legacy medical devices can negatively impact a healthcare facility’s operational functions, patient safety, and data security, the FBI warned.

FBI Warns of Patient Safety, Security Risks Associated With Legacy Medical Devices

Source: Getty Images

By Jill McKeon

- The Federal Bureau of Investigation (FBI) released a notice outlining the security and patient safety risks associated with unpatched and legacy medical devices.

The FBI has observed a recent uptick in medical device vulnerabilities. If exploited, threat actors can leverage outdated software and poor security features within medical devices to execute cyberattacks.

The notice emphasized the potential negative impacts of a healthcare cyberattack, including operational disruptions, risks to patient safety, and the potential for diminished data security and integrity.

“Medical device vulnerabilities predominantly stem from device hardware design and device software management,” the notice stated.

Healthcare organizations face a variety of challenges when it comes to securing medical devices. Many organizations struggle to maintain an inventory of all the devices on their networks. In addition, legacy devices are prone to outdated security controls and often use default configurations that may be easily exploitable.

“Medical device hardware often remains active for 10-30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities,” the FBI noted.

“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyber attacks.”

The FBI recommended that organizations employ endpoint protection and encrypt medical device data while in transit and at rest. Additionally, organizations should prioritize identity and access management by ensuring that each medical device has a complex and secure password.

The notice also stressed the importance of asset management, vulnerability management, and employee training to reduce risk. Specifically, the FBI suggested that organizations maintain an electronic inventory management system, work with manufacturers to mitigate vulnerabilities, and educate employees on how to identify and report potential threats.

The American Hospital Association’s (AHA) national advisor for cybersecurity and risk, John Riggi, underscored the need for medical device security legislation in a statement following the FBI’s notice.

Specifically, Riggi called attention to the AHA’s letter of support for the Protecting and Transforming Cyber Health Care (PATCH) Act, which was introduced in April.

“The pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third party software,” Riggi explained.

“In the interim, it is good practice to increase cybersecurity requirements in medical device and medical technology business associate agreements.”