Tech & Innovation in Healthcare

Check the Security Status of Legacy Medical Devices, Suggests FBI

On Sept. 12, 2022, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification warning that unpatched and outdated medical equipment pose a security risk to healthcare organizations. In the notice, the FBI indicated that the unpatched medical devices are operating on outdated software, which could be full of vulnerabilities that cyberthreat actors can exploit to negatively impact healthcare facilities.

Providers may continue to use medical device hardware for 10 to 30 years, but the software that operates the devices may only be viable, secure, and regularly updated for a few months up to what the manufacturer deems is the maximum life expectancy. Once the manufacturer ceases providing continual software updates, threat actors can find and exploit vulnerabilities.

According to a 2021 research report cited by the FBI in the notice, “there is an average of 6.2 vulnerabilities per medical device … while more than 40 percent of medical devices at the end-of-life stage offer little to no security patches or upgrades.”

As most security updates, patches, and exploit fixes are typically the responsibility of the device manufacturer, the FBI recommends healthcare organizations take steps to help protect their facility from cyber threat actors. These steps include:

• Implement endpoint protection, if supported by the device.
• Change default passwords on each individual medical device to ones that are more secure and complex.
• Take inventory of the medical devices and associated software and use the inventory to ascertain which devices pose the greatest risk.
• Reach out to medical device manufacturers to fix or reduce the number of vulnerabilities on operational equipment.
• Develop and implement a plan to train employees on how to identify and report possible threats.