Medical Device Cybersecurity

What Is Medical Device Cybersecurity?

According to the FDA, it involves “monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices.”ⁱ This type of security has gained great attention from governments over the last two decades, because the industry has become a battleground due to the massive volume of internet-connected devices and wide range of bad actors seeking to access information systems illegally.  

In fact, the World Health Organization (WHO) noted that there are more than 2 million different types of devices.ⁱⁱ They serve as the key technologies to maintain or improve health, treat medical conditions or diseases, or facilitate the diagnosis or monitoring of medical conditions.  

 

What Is Driving the Need for Security?  

“The growing integration of software within medical devices introduces the potential for cybersecurity threats,” says a 2023 cybersecurity vulnerability analysis of these devices conducted across 36 countries and 92 million public administration purchase records for potentially vulnerable devices.ⁱⁱⁱ  

With billions of devices serving patients worldwide, securing the technology and the people who rely on them is critical to producing positive patient outcomes and protecting people from harm. 

There is also a substantial profit motive behind attacks on devices and networks in general. By compromising them, attackers gain access to rich personal information like Social Security Numbers and other personal identifiers as well as health information relating to diagnosis and disease. Fraudsters can use it all to do anything from creating fake IDs to submitting false insurance claims. Medical records sell from $100 to up to $1,000 dollars on the black market.^iv  

There is also the fact that medical device manufacturers, in general, struggle to use cyber-secure-by-design techniques within product lifecycle practices in many pre- and post-market activities. A 2015 study from New Zealand researchers summarizes the issue: “This multifaceted problem must be viewed from a systemic perspective if adequate protection is to be put in place and patient safety concerns addressed. This requires technical controls, governance, resilience measures, consolidated reporting, context expertise, regulation, and standards.”  

The researchers go on to point out how the rise of networked devices and regulations have gaps:  

“The contention between medical device manufacturers and regulation is not a new issue … Rigorous clinical trials are not part of the process for approval of all devices, and in both the US and the European Union, this is handled through pre-market submission and post-market surveillance. However, this does not consider non-clinical safety issues with networked medical devices.” 

  

What are the Different Types of ‘At Risk’ Medical Devices? 

There exist today a massively broad range of ‘at risk’ devices that play a critical role in private and public systems. The 2023 vulnerability analysis noted that devices at risk for attacks “comprise a broad spectrum of constantly evolving technologies, with more and more devices involving a software part.”^v   

Among the two million different device types, here are just a few commonly vulnerable devices and the dangers they expose: 

• Magnetic Resonance Imaging (MRI) machines that use software for signal processing and data visualization. Some MRI machines expose sensitive patient information, including images. 

• Infusion pumps, which account for 38% of a typical hospital’s footprint and have firmware for control and management. These pumps tend to easily allow sensitive information leakage or unauthorized access. 

• Insulin pumps that often use wireless connections to show medical parameters and allow the regulation of drug dosage. Some insulin pumps allow remote attackers to change pump settings and control insulin delivery – with potentially fatal outcomes. 

Forescout Research – Vedere Labs tracks device risk across IT, OT, IoT, and IoMT – the Internet of Medical Things. In its annual report, the riskiest IoMT devices include:  

Imaging Devices

Ths includes: CT scanners, PET-CT scanners and X-ray machines, which generate medical images and are often connected to Picture Archiving and Communication Systems (PACS) systems for storage and retrieval. They frequently run legacy, vulnerable IT operating systems and require extensive network connectivity to facilitate image sharing. They rely on the DICOM standard (Digital Imaging and Communications in Medicine) for sharing these files, which defines both image formats and communication protocols.  

In a recent report, Vedere Labs examined real-world attacks searching for patient data in medical honeypots and campaigns leveraging DICOM applications to infect patients and institutions. 

Lab Equipment

This includes blood and urine analyzers, which are essential for diagnostic laboratories to process biological samples and provide critical health data. These devices run specialized operating systems and are connected to Laboratory Information Systems (LIS). A major concern is that data transmission between lab equipment and LIS is often unencrypted, leaving It vulnerable to data exfiltration and data tampering attacks. 

Workstations

These include DICOM workstations, treatment planning systems, and diagnostic terminals. These systems handle clinical data using standardized formats, such as HL7 (Health Level 7) to integrate with electronic health records (EHR) and billing systems. 

Securing every medical device within an enterprise network is crucial, as a security lapse in one component can render the entire system vulnerable. Potential consequences include disruption to caregiving operations, breaches of sensitive patient data, and even tens, hundreds or thousands of fatalities.  

Why You Must Act Now  

According to the U.S. Government Accountability Office’s recent overview of Healthcare Cybersecurity, “Over the last several years, there have been increased cyberattacks in the healthcare and public health critical infrastructure sector. In February 2024, Change Healthcare (a health payment processor) became the victim of a ransomware attack that involved the theft of data resulting in estimated losses of $874 million and widespread impacts on providers and patient care.”vi Yet, this attack is just the tip of the iceberg. Other recent attacks include the following: 

In 2024, there were 13 data breaches involving more than 1 million records, including the largest medical data breach of all time that affected an estimated 100,000,000 million individuals. Across those 13 data breaches alone, the records of 146,463,977 U.S. residents were exposed or compromised—around 42% of the U.S. population. Moreover, for each of the last four years, there have been over 700 data breaches in which 500 or more records have been stolen.vii 

Specific to devices, the FDA submitted an official warning about security vulnerabilities in Medtronic devices, including insulin pumps and cardiac implants.viii The FDA found that CareLink, the main source of software updates, patient monitoring patients and data transfer did not use satisfactory security protocols to prevent potential hackers from accessing the Medtronic devices. 

In 2024, an industry-led council provided guidelines known as the “Health Industry Cybersecurity Strategic Plan 2024-2029” . Some of its stated goals include: 

• Security, both practiced and regulated, is reflexive, evolving, accessible, documented, and implemented 

• Secure design and implementation of technology and services across the ecosystem is a shared and collaborative responsibility 

• Leaders in the C-Suite embrace accountability for security as an enterprise risk and a technology imperative 

• A safety net promotes equity among under-resourced health organizations across the ecosystem 

This council exists to help drive patient safety — and to influence industry action, medical device regulations on manufacturers, and regulatory compliance. 

 

Best Practices for Medical Devices

Based on more than a decade of securing systems, including over 10 million devices across 42,000 facilities, Forescout has developed a comprehensive healthcare cybersecurity checklist. Following are best practices focused specifically on security risks, all of which can be performed using technology proven in use today: 

Gain Visibility Into All Your Devices

1. Modern technology enables you to discover devices behind firewalls and across multiple types of network architectures (centralized, distributed, segmented). 
2. Use a technology that provides comprehensive visibility to the device attributes and their respective traffic flows. 

Assess Device Risk and Asset Compliance

1. Assess compliance of all devices, managed or unmanaged, including device software and services). 
2. Perform real-time risk analysis and mitigation for connected assets based on device trends and threat feeds. 
3. Dynamically groups assets by type and role to map traffic flows between business segments or device roles. 
4. Performs vulnerability assessments for your connected devices, including risk level, risk profile, and criticality level. 

Use a Zero Trust Approach to Security Risk and Governance of All Devices

1. Implement zero trust policies based on user, device, connection, posture and compliance for all your devices 
2. Maintain visibility and operational insight to medical devices (FDA recalls, patching).  

Apply Automated Security and Response Workflows

1. Leverage active alerting and automated remediation of malicious activity or anomalies in device behavior. 
2. Safeguard devices from accidental shut-off by proactively enforcing measures to ensure ports/protocols can be shut off without impact to device functionality. 

 

Choosing the Right Cybersecurity Vendor 

Choosing the right cybersecurity risk management vendor is critical. Given the escalating number of cyber threats and the devastating impacts they can have, selecting a vendor who can meet your specific security needs and offer effective solutions to mitigate is essential. 

Consider the following crucial factors when deciding on a medical device security vendor: 

• Expertise and Track Record: Opt for a vendor with a proven track record in medical security. Consider their experience collaborating with organizations in your industry and their understanding of the distinctive challenges encountered by devices and other health systems. 

• Comprehensive Security Offerings: Evaluate the vendor’s array of security solutions. Ensure they present a comprehensive suite of offerings covering all facets of security, including network monitoring, vulnerability assessments, detection, and incident response. 

• Scalability and Adaptability: Recognize that your security needs may change as your organization expands. Select a vendor capable of scaling their solutions to accommodate your evolving requirements. Flexibility in deployment options, such as on-premises and cloud-based solutions, is also crucial. 

• Proactive Threat Intelligence: Look for a vendor that stays abreast of emerging risk, providing regular updates and patches. Proactive threat intelligence ensures the protection of your clinical systems against the latest vulnerabilities and attacks. 

• Integration Capabilities: Assess the vendor’s ability to integrate seamlessly with your existing clinical and overall medical system infrastructure and security tools. Smooth integration facilitates efficient management and monitoring of security throughout your entire network. 

  

How Forescout Helps  

Forescout’s unique approach delivers unparalleled insights and control for the entire network without disrupting critical business processes. The Forescout 4D Platform™ combines a wide range of discovery techniques with AI-powered intelligence for any device connected to your clinical network. The solution then assesses the risk of each device, factoring in its known exposures, the attack potential and operational criticality. 

Seven qualities that establish Forescout as a market leader: 

Risk and Exposure Management

You can enhance your medical networks security posture with risk-based prioritization to empower biomed teams to track medical device state and exposure posture. Reduce risk of incidents with insights into FDA class and recall status to help ensure security without impacting patient care. 

Dynamic Medical Network Segmentation

Forescout‘s network security solution provides granular medical device insights to automatically classify and group medical assets into a logical taxonomy. The visualization of their communication patterns can then be used to design and dynamically enforce segmentation policies. 

Threat Detection and Response

Forescout makes it easy to automate the detection, investigation, and response across the clinical network. Streamline SOC operations with correlated, enriched, normalized and contextualized data, leveraging a two-stage threat detection engine that uses a blend of five techniques to reduce noise and improve fidelity. 

Asset Intelligence

Forescout provides a simplified way to maintain real-time and persistent asset intelligence for every connected device, with high-fidelity, cloud-powered classification. 

Comprehensive Risk Assessment

You can use Forescout to gain clear and concise quantification of cybersecurity risk posture based on exposure from vulnerabilities and misconfigurations, with a unique, multifactor risk score that correlates risk and exposure factors across configuration, function and behavior 

Accelerated Incident Response

Searchable history of asset configuration changes over time for faster incident investigation and for discovering coverage gaps in vulnerability management. Leverage historical asset context to aid proactive investigation of risks and reactive response to incidents and events. 

Proven success for securing medical environments

Forescout delivers. We bring more than 20 years’ experience and data insights from thousands of customers, including more than 300 health providers, analyzed by a team of global experts. 

Do you know what’s on your clinical network? Request a personalized demo. 

---

[i] U.S. Food and Drug Administration. THE FDA’S ROLE IN MEDICAL DEVICE CYBERSECURITY. Accessed March 10, 2025 from the following source: https://www.fda.gov/media/103696/download

[ii] World Health Organization (2023). Medical Devices. Accessed March 10, 2025 from the following source:  https://www.who.int/health-topics/medical-devices

[ii] Lorenzo Bracciale, Pierpaolo Loreti & Giuseppe Bianchi. University of Rome Tor Vergata (2023). Cybersecurity vulnerability analysis of medical devices purchased by national health services, October 2023. Accessed March 10, 2025 from the following source: https://pmc.ncbi.nlm.nih.gov/articles/PMC10636100/pdf/41598_2023_Article_45927.pdf

[iv] Richard Pallardy, Information Week (2023). The Unique Cyber Vulnerabilities of Medical Devices, November 14, 2023. Accessed March 10, 2025 from the following source: https://www.informationweek.com/cyber-resilience/the-unique-cyber-vulnerabilities-of-medical-devices

[v] Lorenzo Bracciale, Pierpaolo Loreti & Giuseppe Bianchi. University of Rome Tor Vergata (2023). Cybersecurity vulnerability analysis of medical devices purchased by national health services, October 2023. Accessed March 10, 2025 from the following source: https://pmc.ncbi.nlm.nih.gov/articles/PMC10636100/pdf/41598_2023_Article_45927.pdf

[vi] GAO (2024). HHS Continues to Have Challenges as Lead Agency, GAO.gov 2024. Accessed March 10, 2025 from the following source: https://www.gao.gov/products/gao-25-107755

[vii] Steve Alder. The HIPAA Journal (2025). The Biggest Healthcare Data Breaches of 2024, January 7, 2025. Accessed March 10, 2025 from the following source: https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/

[viii] FDA (2021). Health, Center for Devices and Radiological, Wikipedia. Accessed March 10, 2025 from the following source: https://en.wikipedia.org/wiki/Medical_device_hijack#:~:text=plethora%20of%20vulnerabilities.-,Impacted%20devices,%2C%20and%20x%2Dray%20machines