Researchers Observe 59% Spike in Medical Device Security Vulnerabilities

August 17, 2023 - Security vulnerabilities in medical devices and the software applications that support them continue to pose a significant threat to healthcare, the Health Information Sharing and Analysis Center (Health-ISAC) underscored in a new report issued alongside Finite State and Securin.

The joint research report, entitled “2023 State of Cybersecurity for Medical Devices and Healthcare Systems,” examined 993 vulnerabilities within 966 medical products in devices, signifying a 59 percent year-over-year increase from 2022.

Software applications, including those that medical devices depend upon to function, accounted for 64 percent of the vulnerabilities found.

“Healthcare applications are crucial for managing patient care, appointment scheduling, and accessing medical records. Many medical devices (such as infusion pumps, pacemakers, and monitoring systems) also rely on software applications,” the report noted.

“Therefore, vulnerabilities in these applications can enable attackers to disrupt essential healthcare services, leading to delayed treatments or compromising the functionality of medical devices, potentially endangering patients’ lives.”

Hardware vulnerabilities accounted for 27 percent of the researched vulnerabilities, and operating systems followed at 9 percent. Cybersecurity vulnerabilities in any area of healthcare can be detrimental to patient care and could result in data breaches, making vulnerability management crucial.

“Tools such as hardware are indispensable in the healthcare sector. These aid in patient care, diagnosis, treatment, and monitoring,” the report added. “From everyday computers to life-support systems, hardware improves medical capabilities and patient outcomes. However, vulnerabilities in healthcare hardware can pose serious risks, including compromised patient care, operational disruptions, and loss of trust.”

What’s more, 160 of the observed vulnerabilities had been weaponized, meaning that they have working Proof of Concept exploits. Seven of the vulnerabilities have been used by advanced persistent threat (APT) groups such as EmissaryPanda and BrownFox to target victims.

“State-sponsored actors are persistently going after key infrastructure and the Healthcare industry has been no exception. Research indicates that some vulnerabilities previously exploited by APT groups are still present within vendor products and pose a greater risk given they have been proven already. Four of the vulnerabilities are associated with APT1 or the BrownFox group, a Chinese-sponsored actor in existence since 2006,” the report stated.

“The remaining three vulnerabilities are exploited by numerous APT groups. This is particularly concerning, as medical device vendors could face regulatory investigations from the FDA, civil lawsuits, and product liability claims for non-compliance with cybersecurity standards and endangering device safety.”

As regulatory pressures increase, more device manufacturers and research firms are devoting resources toward detecting and mitigating cybersecurity vulnerabilities. Proactively addressing cyber risk, rather than confronting it reactively, can help organizations prevent cyberattacks and reduce network access points for threat actors.

“As the healthcare industry continues to digitize, cyber threats are becoming increasingly sophisticated, putting the privacy and safety of patients at risk,” said Kiran Chinnagangannagari, CTO of Securin, in an accompanying press release. “It is important to understand and address these risks head on, to protect patients’ data and well-being.” 

The three authoring organizations recommended that healthcare organizations focus on implementing a regular penetration testing cadence to identify possible exposures. In addition, organizations were encouraged to prioritize vulnerability patching and employ binary analysis tools to generate Software Bill of Materials (SBOM) and uncover potential vulnerabilities.

Building a more resilient healthcare ecosystem requires security buy-in from manufacturers, healthcare organizations, and the providers that use these devices to administer care.