Press Release
“State of CPS Security Report: Healthcare 2023” Reveals Startling Security Gaps in Medical Devices Directly Linked to Patient Care
NEW YORK and ORLANDO, Fla. – March 12, 2024 – Claroty, the cyber-physical systems (CPS) protection company, released today at the annual HIMSS24 conference a new report that uncovered concerning data about the security of medical devices connected to healthcare organization networks such as hospitals and clinics. The State of CPS Security Report: Healthcare 2023 discovered a staggering 63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) on these networks, and that 23% of medical devices—including imaging devices, clinical IoT devices, and surgery devices—have at least one KEV.
In the first healthcare-focused edition of The State of CPS Security Report, Team82, Claroty’s award-winning research group, examines how the challenge of more and more connected medical devices and patient systems coming online increases exposure to the rising tide of cyberattacks focused on disrupting hospital operations. The aim of this research is to demonstrate the broad connectivity of critical medical devices—from imaging systems to infusion pumps—and describe the implications of their exposure online. Vulnerabilities and implementation weaknesses frequently surface in Team82’s research, and a direct line can be drawn to potentially negative patient outcomes in each of these cases.
“Connectivity has spurred big changes in hospital networks, creating dramatic improvements in patient care with doctors able to remotely diagnose, prescribe, and treat with a never-before-seen efficiency,” said Amir Preminger, vice president of research at Claroty. “However, the increase in connectivity requires proper network architecture and an understanding of the exposure to attackers that it introduces. Healthcare organizations and their security partners must develop policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. This includes secure remote access, prioritizing risk management, and implementing segmentation.”
Key Findings:
Guest Network Exposure: 22% of hospitals have connected devices that bridge guest networks—which provide patients and visitors with WiFi access—and internal networks. This creates a dangerous attack vector, as an attacker can quickly find and target assets on the public WiFi, and leverage that access as a bridge to the internal networks where patient care devices reside. In fact, Team82’s research showed a shocking 4% of surgical devices—critical equipment that if they fail could negatively impact patient care—communicate on guest networks.
Unsupported or End-of-Life OSs: 14% of connected medical devices are running on unsupported or end-of-life OSs. Of the unsupported devices, 32% are imaging devices, including X-Ray and MRI systems, which are vital to diagnosis and prescriptive treatment, and 7% are surgical devices.
High Probability of Exploitation: The report examined devices with high Exploit Prediction Scoring System (EPSS) scores, which represent the probability that a software vulnerability will be exploited in the wild on a scale of 0-100. Analysis showed that 11% of patient devices, such as infusion pumps, and 10% of surgical devices contain vulnerabilities with high EPSS scores. Digging deeper, when looking at devices with unsupported OSs, 85% of surgical devices in that category have high EPSS scores.
Remotely Accessible Devices: This research examined which medical devices are remotely accessible and found those with a high consequence of failure, including defibrillators, robotic surgery systems, and defibrillator gateways, are among this group. Research also showed 66% of imaging devices, 54% of surgical devices, and 40% of patient devices to be remotely accessible.
To access Team82’s complete set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the “State of CPS Security Report: Healthcare 2023.”
For more information about this report and Claroty’s newly launched Advanced Anomaly Threat Detection Module for the Medigate by Claroty platform, find us at HIMSS Global Health Conference, booth #1627, taking place March 11-15 in Orlando, Fla.
Methodology
The State of CPS Security Report: Healthcare 2023 is a snapshot of healthcare cybersecurity trends, medical device vulnerabilities, and incidents observed and analyzed by Team82, Claroty’s threat research team, and our data scientists. Information and insights from trusted open sources, including the National Vulnerability Database (NVD), the Cybersecurity and Infrastructure Security Agency (CISA), the Healthcare Sector Coordinating Council Working Group, and others, also were used to bring invaluable context to our findings.
Acknowledgements
The primary author of this report is Chen Fradkin, full stack data scientist at Claroty. Contributors include: Ty Greenhalgh, industry principal healthcare, Yuval Halaban, risk team lead, Rotem Mesika, threat and risk group lead, Nadav Erez, vice president of data and Amir Preminger, vice president of research. Special thanks to the entirety of Team82 and the data department for providing exceptional support to various aspects of this report and research efforts that fueled it.
About Claroty
Claroty empowers organizations to secure cyber-physical systems across industrial, healthcare, commercial, and public sector environments: the Extended Internet of Things (XIoT). The company’s unified platform integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, threat detection, and secure remote access. Backed by the world’s largest investment firms and industrial automation vendors, Claroty is deployed by hundreds of organizations at thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America. To learn more, visit claroty.com.