Vulnerabilities in critical medical devices make them susceptible to potentially fatal cyber attacks. But infosec experts have mixed opinions on the priority they hold in securing healthcare organizations.
In September 2022, the FBI released a notification about the growing volume of vulnerabilities in unpatched medical devices. Because legacy technology in hospitals can still perform clinical functions, hospitals often extend the intended lifecycle of the equipment. As a result, clinicians are often left using devices that no longer receive support for updates to perform critical care on patients.
Last week the U.S. Food and Drug Administration (FDA) issued new guidance that requires submissions for pre-market medical devices to include information about the cybersecurity of such devices. Starting Oct. 1 the FDA will have the authority to deny manufacturers' submissions based on cybersecurity factors.
Though technological modernization in hospitals is a necessity, replacing medical devices is financially demanding. The issue is especially neglected when outdated equipment is functioning sufficiently. Steve Preston, vice president of Metallic Security, described the situation as a "collision course" of insecure devices, legacy technology and more advanced attacks. "Healthcare is generally strapped for cybersecurity budget, and I wouldn't say they have the most sophisticated SOCs [security operations centers] in the world," he said.
Doug McKee, principal engineer and director of vulnerability research at Trellix, referred to medical devices as "low-hanging fruit," as they are easy for threat actors to exploit. Still, he said that device-based attacks are not a top priority yet because cybercriminals have been financially successful by attacking IT systems and networks.
"They don't have to attack all the critical devices yet," said McKee. "You basically have two goals. You either have financial gain or you have destruction. And both of those are still very viable options for attackers without even considering targeting critical devices."
But the problem of vulnerable medical devices still looms large for healthcare organizations. While the infosec community is split on how serious a threat it poses to hospitals today, experts agree that healthcare security teams, manufacturers and policy makers will be forced to reckon with the problem soon. The questions are when and why.
"Attackers are going to start to turn their attention to other low-hanging fruit," McKee said. "And those other low-hanging fruit right now in a lot of places are those critical devices."
Highly vulnerable, highly connected
Vulnerable medical devices have been a concern within the infosec industry for more than a decade. In 2011 the issue gained attention when a security researcher at Black Hat USA conference demonstrated how wireless insulin pumps could be remotely hacked in a way that could cause patient deaths.
A few years later, deception technology startup TrapX Security detailed an extensive attack vector it called MedJack, short for medical device hijacking. MedJack and later versions of the attack technique could compromise several insecure medical devices, from X-ray machines and blood gas analyzers to diagnostic equipment like CT scanners. Although such attacks could lead to physical harm, TrapX researchers noted during an RSA Conference 2017 presentation that attackers were focusing on medical devices as a way into the hospital network rather than to cause loss of life.
Preston, who formerly served as TrapX's CEO before it was acquired by Commvault last year and combined with its Metallic division, said medical devices are difficult to secure even if the patches are up to date. "You can't collect logs on a lot of these systems, and you can't put endpoint security on these medical devices," he said.
The problem isn't just the medical devices themselves. Joshua Corman, vice president of cyber safety strategy at Claroty, said many such devices still in use today were designed for older operating systems that are no longer supported, such as Windows 7 and even Windows XP, which also weakens organizations' network security postures. "What we've known for quite some time is that the overwhelming majority of connected medical devices are running with unsupported end-of-life operating systems," Corman said.
To acknowledge the cyber risks facing critical infrastructure, CISA published an advisory in January on bad practices that jeopardize organizations such as medical and healthcare facilities. The agency affirmed use of unsupported or end-of-life software, such as Microsoft XP or Microsoft 7, "is especially egregious in technologies accessible from the internet."
Running antiquated technology has had serious ramifications on healthcare systems in the past. In May 2017, North Korean nation-state hackers exploited a Windows vulnerability known as EternalBlue in the WannaCry ransomware attacks. While Microsoft patched the vulnerability in March, unsupported editions such as Windows XP and Windows 8 were vulnerable to the attacks. At that time, Citrix found that 90% of the U.K.'s National Health Service trusts employed Windows XP, an OS that Microsoft halted updates for in 2014.
Healthcare organizations running unsupported and unpatched OSes were met with significant disruptions from WannaCry. The attacks forced NHS facilities to cancel thousands of appointments and scheduled operations, with initial responses costs estimated to be £92 million.
Making matters worse is the growing number of medical devices that are now connected to the internet. Advancements in technology have ushered Internet of Medical Things devices into healthcare facilities, which experts say has broadened their attack surfaces, leaving a hospital's infrastructure unsound and at higher risk for attack.
Interconnectivity of technology and medical devices in healthcare centers has its benefits. Electronic health records, accessible from nearly any medical facility, automatically inform physicians of a patient's status and provide data useful for researchers to advance medical science.
But according to Corman, the premature application of IoT devices has outmatched organizations' ability to properly secure the networked technology. In turn, the detriment of attacks has been augmented.
"We incentivized devices that were never meant to be connected to anything to connect to everything," said Corman. "A compromise of any device can lead to a compromise of the entire hospital, or even a network of hospitals."
Still, it's challenging for threat analysts and hospital security teams alike to prioritize medical device vulnerabilities, given the extensive of amount of IT security issues at many organizations. Preston said TrapX's deception technology can simulate vulnerable medical devices and attract threat actors. But it's unclear in such cases if the threat actors are merely looking for a way into the hospital network to steal data or if they are intent on more nefarious activity that could lead to loss of life.
But Preston said that even less impactful threats can still pose serious consequences for medical devices. "What if you found cryptomining software on your insulin pumps or heart monitors? What are you supposed to do, unplug it?" he said. "You get to this crisis where you know it's there, but you may not be in a position to do anything about it."
Known CVEs piling up
Researchers have detected various vulnerabilities in recent years in critical medical devices capable of performing remote network attacks. Trellix researchers analyzed 270 medical device-specific CVEs reported between 2019 and 2022 -- 30% of which could enable remote code execution. For example, CVE-2021-27410, a vulnerability in Welch Allyn medical device management tools, is easily exploitable remotely, requiring no user interaction for attackers to exploit.
Trellix's report found that exploitation of such medical device vulnerabilities was "not likely" but noted the flaws still pose a risk to healthcare facilities. Trellix researchers found that vulnerabilities can be used between medical devices, as their operations are similar in nature. Threat actors often must tailor their work to exploit each device. But they can take advantage of those overlaps and extensive code reuse to extend their playing field in an attack.
According to Corman, one medical device on average has over 1,000 known CVEs. Though not all vulnerabilities are exploitable for remote code execution (RCE) or ransomware attacks, devices possess many of them, and threat actors only need one endpoint to seed an attack.
"While most of those are not exploitable, it only takes one," said Corman. "A single flaw on a single device could affect patient safety. And a typical device gives you over a thousand chances to do it."
Researchers have also disclosed the distinct susceptibility of infusion pumps. In November 2022, Armis Security warned of malware found on actively used infusion pumps. While it is estimated that over 200 million infusion pumps are used globally every year, they are an accessible target for threat actors. They are also inherently trusted in healthcare operations for medication delivery, which makes the discovery of these vulnerabilities especially concerning.
McAfee's Enterprise Advanced Threat Research team uncovered a set of vulnerabilities in the B. Braun Infusomat Space Large Volume Pump that would let an attacker alter the volume of medication it dispenses to a patient. Modification of the dosage could only be noticed after a significant amount of the drug had already been administered. So a potentially lethal dose would already be delivered to the patient before anyone knowing.
The latest version of the B. Braun pump removed the primary vector of the attack sequence. But older pumps are still deployed across medical centers.
There is no evidence of these drastic exploitation scenarios. But the security community has already been alarmed by devastating bugs and exploits in the past. Karan Sondhi, CTO for public sector at Trellix, cited Stuxnet, the sophisticated malware that caused physical damage to an Iranian nuclear facility in 2010.
"If you think about it from a cynical perspective, if somebody is very sophisticated and has a reason to maintain presence in these key medical industries, they now have a vector of attack that none of us imagine," said Sondhi. "We never thought something Stuxnet was real. It was never imagined until it was made public."
Persistent issues, potential remedies
Hospitals are equipped with security teams to monitor and update technology used in the network environment. Those security practices in hospitals, however, do not always cover every medical device critical to patient care.
"Other auxiliary devices that you might see in an ER room that are small, somewhat cheap and disposable in nature -- that do have internet connectivity -- are largely neglected just because they don't have the cycles to focus on it and they don't fall on the critical path," Sondhi said.
In addition to the FDC's recent guidance on medical devices, legislation was introduced last year to improve monitoring processes in healthcare systems. The PATCH Act aims to improve the cybersecurity of medical devices by specifically requiring manufacturers to design and deploy patches and updates for their products throughout the devices' lifecycles. Like the FDA guidance, the bill would hold manufacturers accountable for not meeting those standards by denying FDA approval for pre-market devices.
"Medical device manufacturers will be encouraged to send us devices that don't have any security gaps before they hit our shores," said Greg Garneau, CISO at Marshfield Clinic Health System, in Claroty's recent "Healthcare Cyber Reform" webinar. "One of the big things that we run into often is the actual device itself will continue to work but the operating systems haven't been upgraded."
However, Nathan Phoenix, director of IT and information security officer at Southern Illinois Healthcare, feared that the proposed law may pose adverse impacts. He said in the webinar that the impact of the bill relies on how device manufacturers react to the conditions and requirements.
"They may shorten the lifespan of the devices, which is going to be a financial burden to an organization," Phoenix said. "If you have to go through replacements more frequently, then that's just more dollars out of your pocket."
It's unclear how the FDA guidance will be enforced and what the future may hold for the PATCH Act. The hope among legislators, security professionals and healthcare organizations is that medical device companies will build new processes for deploying patches and upgrades while preserving a long lifecycles for devices.
"It's really great to see progress being made with the PATCH Act," said Phoenix. "It's kind of exciting and a little bit scary to see what's going to come next."