Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

The Unhealthy State of Medical Device Risk Management

Don Sears, Senior Cybersecurity Editor | September 12, 2024

You know the old joke. A man goes to the doctor, lifts his arm up high, and says, “Doc, it hurts when I do this.”

The doctor’s answer? “Stop doing that.”

If only it were so simple to secure medical devices. We’re not going to stop using those innovations that monitor, save or protect lives. But for CISOs managing the risk of all the connected devices and software used in hospitals, clinics, labs and medical research facilities, the situation is daunting.

The last year has been especially tough on healthcare because of ransomware. There were several major attacks on hospital networks and payers in 2024, including Change Healthcare, owned by United Health, and others. In a recent quarterly filing, United Health reported “unfavorable cyberattack effects” of $872 million.

Key Facts About Healthcare Security and Medical Device Risk Today

  • EY:
    • Breaches account for more than 12% of an organization’s overall annual spend on cybersecurity
    • They take up to eight months to detect and resolve
  • IBM
    • Healthcare has one of the highest data breach costs of all industries
    • The average cost of a healthcare breach increased 53% to nearly $11 million in 2023
  • Forescout Research – Vedere Labs
    • IoT devices, including IoMT assets, had a 136% increase in vulnerabilities in a year
    • In 2022, we discovered 7,000 exposed medical systems on the internet, including: PACS, healthcare integration engines, electronic health records, medication dispensing systems, and medical image printers.
    • In 2024, we found 225 medical dispensing systems exposed to the internet – up 23% from 2022

Need help today? Get your free copy of Gartner’s latest vendor report “2024 Gartner® Market Guide for Medical Device Risk Management Platforms”.*

What About ISO 14971? Can’t Medical Devices Be Made More Secure?

According to WiPro, the Risk Management Process ISO 14971 standard requires a manufacturer to establish, document and maintain a risk management process for:

  • Reviewing the intended use (intended purpose) of the medical device
  • Identification of hazards (known and foreseeable)
  • Estimation of the probability of occurrence of harm

Risk management is regulation today, so organizations must comply. ISO 14971 is primarily focused on product safety, but because it applies to the entire lifecycle of a device – including the end of life – cybersecurity risk is in play.

However, there are several other standards of regulatory compliance for ISO that are also in play:

  • ISO 30111:2013, Information Security Techniques, Vulnerability Handling Process
  • ISO 29147:2014, Information Technology – Security Techniques – Vulnerability Disclosure
  • NIST Cybersecurity Framework 2.0

Healthcare CISOs, however, may be less concerned with a manufacturer’s risk management process. Their job is to protect their hospital networks and secure their medical devices from becoming entry points for career-destroying events. Attackers don’t care about ‘harm’ or compliance or standards or lifecycles. The financial incentives in ransomware today are unfathomable. The Change Healthcare ransomware attack resulted in a $22 million ransom paid to the attackers, and the stolen data was still not fully recovered, according to The HIPAA Journal.

Attackers often use ignored, unpatched or end of life assets to infiltrate. See how we demonstrated a proof-of-concept attack (R4IoT) that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT) in this video.

Why Are Medical Devices So Vulnerable?

In 2022, Vedere Labs published “Internet Exposure of Medical Devices and Systems” which went beyond vulnerabilities to show systemic medical device risk on the open internet.

There are four common issues that lead to vulnerabilities being found or remaining unpatched in medical devices:

  1. Devices used with a default configuration are easily exploitable.
    Many medical devices have default open ports or credentials when they are configured by a manufacturer, and sometimes these are not changed when deployed in healthcare organizations. For the Access:7 research, we identified medical devices that were shipped with a configuration agent still present and whole product lines sharing hardcoded credentials for remote access.
     
  2. The lifespan of medical devices gives threat actors ample time to find and exploit vulnerabilities.
    Medical devices are used in organizations for up to 30 years (or longer), which not only gives time to find vulnerabilities, but also the code running on them is potentially decades old. In the NUCLEUS:13 research, we found vulnerabilities in a software component used in medical devices since 1993.
     
  3. Devices require special upgrading procedures that delay patching.
    Due to specialized software and firmware running on many medical devices, the patching procedure is not as easy as in a traditional computer. Not only is applying patches more difficult, but even the existence of patches is not guaranteed for vulnerabilities affecting third-party components. This is an issue explored at length in our Project Memoria research.

    Patches for certain devices in the US, for example, can require FDA approval – so sometimes patching is a roadblock for security teams to update in a timely manner through no fault of their own.

  4. Devices were not designed with security in mind.

    Many of the protocols running on these devices do not include basic security controls such as authentication and encryption. We have recently discussed the issue of insecurity by design in operational technology as part of OT:ICEFALL. We also have demonstrated in the past how insecure protocols in healthcare allow attackers to:

  • Leak patient data
  • Tamper with diagnostic results
  • Disconnect a patient monitor
  • Change a patient’s vital readings on the network

Medical Device Risk Management: Prioritize by the Risk of Your Devices

It’s crucial to understand the risk scope of medical devices. “Hospitals are installing a lot of IoT devices — everything’s hooking into the network,” says Ashis Barad, chief digital and information officer, to MedCity News. “Every MRI machine is now connected to a network, but it wasn’t this way before.”

Forescout Research Vedere Labs has been tracking ransomware and device risk for many years. Take a look at some of the patterns being uncovered. For healthcare and medical fields, we detailed the five riskiest areas:

  • Medical information systems
  • Electrocardiographs
  • DICOM workstations
  • Picture Archiving and Communication Systems (PACS)
  • Medication Dispensing Systems

Go deeper, learn more: Attend our on-demand webinar on the riskiest devices of 2024.

Vedere Labs also actively watches ransomware group activities very closely. Earlier this year, we examined attack groups splintering off during the Change Healthcare ransomware debacle.

Ultimately, Medical Device Risk Goes Beyond One Category

“It is not enough to focus defenses on risky devices in a single category since attackers can leverage assets of different categories to carry out attacks,” concludes Daniel dos Santos, Senior Director, Security Research at Vedere Labs, in our riskiest devices mitigation guidance. “Modern risk and exposure management should encompass assets in every category to reduce risk across the whole organization. Solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack.”

*Forescout has been named a Representative Vendor in the August 2024 Gartner® Market Guide for Medical Device Risk Management Platforms, which we believe is a must-read report for healthcare delivery organization (HDO) CIOs, CISOs and network security administrators, as well as biomedical and clinical engineers.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used here in with permission. All rights reserved.

 

 

Demo RequestForescout PlatformTop of Page