Healthcare IoT, Medical Device Vulnerability Disclosures Skyrocket

March 04, 2022 - Healthcare IoT, IT, and medical device vulnerability disclosures have increased in recent years, signaling a need for better industrial control system (ICS) security, a new report by Claroty found. Researchers found that ICS vulnerability disclosures grew by 110 percent over the last four years, with a 25 percent increase in the latter half of 2021 alone.

Over 30 percent of the disclosed vulnerabilities impacted IoT, IT, and medical device assets, underscoring the need for vulnerability management to reduce exposure. The report suggested that the ongoing shift toward highly connected cyber-physical systems created a paradigm of the “Extended Internet of Things” (XIoT).

“The Extended Internet of Things (XIoT) is an umbrella term that captures the cyber-physical systems critical to our lives,” the report stated.

“Connected devices, operational technology, healthcare systems, and much more are rapidly connecting online and to the cloud, not only for security management, but for data analysis, performance tracking and enhancement, and much more. Those efficiencies are appealing to line-of-business owners, and it’s the job of asset owners and security teams to secure those connections. This is a challenge on many fronts.”

More than 60 percent of the observed disclosed vulnerabilities could be exploited remotely by a threat actor, Claroty found. However, the percentage of locally exploitable vulnerabilities fell to 31 percent in the second half of 2021, showing an increasing trend in remote cyberattacks.

Third-party companies disclosed half of the observed vulnerabilities, and a majority of those vulnerabilities were discovered by researchers from cybersecurity companies. Internal vendor vulnerability disclosures grew by 76 percent over the past four years, signifying a positive shift toward increased threat sharing and a focus on vulnerability research.

“While the volume of headline-grabbing attacks dwindled in the second half of 2021 compared to the first six months, those incidents will only fuel the eventual prioritization of XIoT cybersecurity among decision makers,” the report predicted.

“This indicates that organizations will merge OT, IT, and IoT under converged security management, and that OT and ICS will no longer be their own walled-off disciplines. Therefore, asset owners and operators must have a thorough snapshot of their environments in order to manage vulnerabilities and lessen their exposure.”

Researchers found that remote code execution was applicable in 53 percent of the vulnerabilities, followed closely by denial-of-service (DoS) conditions, bypassing protection mechanisms, and allowing the adversary to read application data.

“Defenders must understand what threat vectors are most exploited by attackers targeting industrial networks and IoT devices,” the report urged.

“Proper visibility into where vulnerabilities are found allows organizations to adequately patch or mitigate issues in software and firmware putting networks and processes at risk.”

It is crucial that organizations remain aware of the latest vulnerabilities, but it is also critical to implement security controls to counter the vulnerabilities as well. To combat these cyber threats, most of the vulnerability disclosure reports recommended network segmentation, along with traffic restriction and ransomware and phishing protection.

Healthcare organizations should prioritize patching or replacing legacy devices and implementing security controls to mitigate risk.