Report
Team82’s analysis of the cybersecurity trends and events impacting medical device security and the overall healthcare industry.
This Team82 report examines the vulnerabilities and implementation issues impacting the cybersecurity of connected medical devices and healthcare networks. We demonstrate the broad connectivity of critical medical devices—from imaging systems to infusion pumps—and describe the implications of their exposure online. Vulnerabilities and implementation weaknesses frequently surface in our research, and a direct line can be drawn to potentially negative patient outcomes in each of these cases.
From our research, we’ll illustrate:
The breadth of medical devices that contain known exploitable vulnerabilities that attackers may leverage and have a clear negative impact on patient safety.
The widespread continued use of legacy medical devices that are no longer supported by vendors and manufacturers, including surgical tools that if fail because of a compromise could lead to negative patient outcomes
The proliferation of implementation weaknesses such as medical devices bridging guest and internal networks, and the risks those present
Healthcare delivery organizations (HDOs) are at a pivotal point where cybersecurity can no longer be a reactive exercise. It must be a core business and strategic consideration for HDOs and manufacturers alike, and we hope this report informs decision-makers and policymakers as to where the major cybersecurity issues lie and the risks they must take into account.
CISA’s KEV database tracks vulnerabilities used in publicly known attacks. From our research, we discovered that 63% of KEVs tracked by CISA can be found on healthcare networks, and 23% of medical devices (imaging systems, clinical IoT devices, surgical equipment) have at least one KEV.
Here’s a breakdown by percentage of the device types with at least one known exploited vulnerability:
EPSS scores are a relatively new metric that produces a probability that a vulnerability will be exploited within 30 days of disclosure. Our research breaks down the medical device types that contain vulnerabilities with high EPSS scores.
Our research shows that legacy medical devices running on unsupported and/or unmanaged operating systems are prevalent on hospital networks. These systems are considered end-of-life by their respective vendors and are no longer supplied with security or feature updates. Below are some data points around legacy systems from our research.
Connectivity has spurred huge changes in hospital networks that have brought about great improvements in patient care via remote diagnosis and treatment options. Now that many of these systems are reachable online, implementation errors are magnified and exploitable vulnerabilities exposed to the internet. From our research, below, we demonstrate the breadth of connected devices capable of internet communication...
...And the percentages from our research of devices that are remotely accessible and present a high consequence of failure if compromised.
Guest networks—labeled as such by hospitals in our research—that provide patients and guests with WiFi services may also be a bridge to other internal networks. 22% of hospitals in our research have connected devices that bridge guest and internal networks, exposing devices with vulnerabilities, including those with critical CVSS scores or high EPSS scores.
Please complete the form to view the Report.
