The FBI warned Monday that hundreds of vulnerabilities in widely used medical devices leave the door open to cyberattacks.
In a white memo from the FBI’s Internet Crime Complaint Center (IC3), the law enforcement agency said it had identified “an increasing number” of vulnerabilities posed by unpatched medical devices that run on outdated software and devices without adequate safety features.
The FBI specifically cited vulnerabilities found in insulin pumps, intracardiac defibrillators, mobile heart telemetry, pacemakers and intrathecal pain pumps, noting that malicious hackers could take control of the devices and alter readings, administer drug overdoses or “otherwise endanger the health of patients”.
“Cyber threat actors exploiting vulnerabilities in medical devices negatively impact healthcare facility operational functions, patient safety, privacy and data integrity,” the alert reads.
“Medical device vulnerabilities mainly arise from the design of the device hardware and the management of the device software. Routine challenges include the use of standardized configurations, specialized configurations including a large number of managed devices on the network, the lack of security features built into the devices, and the inability to upgrade those features.
The FBI noted that medical device hardware has often been in use for more than 30 years in some healthcare facilities, giving cybercriminals and state actors ample time to discover and exploit bugs.
Many legacy devices used by hospitals and clinics contain outdated software because they do not have manufacturer support for patches or updates, the FBI said, adding that many devices are not designed in a security concern.
The white notice then cites several reports from cybersecurity companies that have highlighted the scale of the problem, including that approximately 53% of all connected medical devices and other Internet of Things (IoT) devices in hospitals have known critical vulnerabilities.
One report found an average of 6.2 vulnerabilities per medical device and indicated that more than 40% of medical devices are at end of life, offering little or no security patches or upgrades.
The alert comes days after multi-billion dollar healthcare company Baxter International notified customers of four vulnerabilities affecting their WiFi infusion pumps and batteries. CISA posted their own review about the problems, second they released last week related to medical devices.
In March, security researchers from Palo Alto Networks discovered that more than 100,000 infusion pumps were susceptible to two known vulnerabilities that were disclosed in 2019.
Infusion pumps have long been a source of ire for cybersecurity experts and vendors who have spent more than a decade trying to improve their security. Palo Alto noted that the Food and Drug Administration announced seven infusion pump recalls or their components in 2021 and nine more recalls in 2020.
Last year, German healthcare giant B. Braun updated several faulty IV pumps after McAfee discovered vulnerabilities allowing attackers to modify doses.
Healthcare organizations continue to face a deluge of ransomware incidents and cyberattacks. Cybersecurity company Proofpoint published a report last week, which revealed that 89% of healthcare professionals surveyed had experienced at least one cyberattack in the past 12 months.
More than 20% of those attacked saw their death rate increase, and more than half said the attacks led to longer patient stays, delays in procedures and an overall decrease in the quality of care.