Recent Claroty Search shows that the number of vulnerability disclosures, including those concerning medical devices, is increasing. However, patch management issues can hamper this progress. As new research from Palo Alto on infusion pump vulnerabilities shows, the majority of these devices operate with known flaws.
Both reports address the persistent challenges of securing medical devices in the healthcare environment: the persistent gap between responsible disclosures and the ability of vendors to close known security vulnerabilities.
Specifically, research from Claroty shows that more than half of end-of-life product vulnerabilities are remotely exploitable, while the majority of infusion pumps examined by Palo Alto Networks Unit 42 contain known security vulnerabilities.
Numerous studies have shown the heavy reliance of healthcare on medical devices built on legacy or end-of-life systems for a variety of reasons, including the fact that it is simply not cost effective to replace an MRI fully functional or another great machine.
Any large hospital or clinic may contain up to a thousand or more infusion pumps, which are often difficult to keep track of due to a host of inventory issues. As noted in the Unit 42 report, the average infusion pump has a lifespan of eight to 10 years, which means that the use of legacy equipment will persist and continue to hamper safety efforts.
“Recalls, whether due to mechanical failure or cybersecurity vulnerability, can be a source of anxiety for supply chain managers, clinical engineers and IT security teams,” explained the Unit 42 researchers. “An oversight or failure in any of these areas, whether the devices require repair, maintenance, software patches or updates, can be life-threatening to patients. or sensitive information.”
Healthcare organizations also struggle to maintain strong patch management policies capable of quickly remediating vulnerabilities after they are disclosed, despite a number of federal government and private sector efforts to support and educate vendors on remediation. As things stand, many providers assess and accept a degree of risk, which makes the Unit 42 search slightly alarming.
As noted in the Claroty report, its team82 found and disclosed 110 vulnerabilities in the second half of 2021 (29 found in end-of-life devices).
More than half of end-of-life platform vulnerabilities are remotely exploitable and could lead to code execution or denial of service if exploited. In addition, medical devices ranked third among end-of-life products with vulnerabilities, behind basic control devices and supervisory control devices.
Of the disclosed vulnerabilities, 34% impact IoT, IT and IoMT products. The report covers data from all commercial products running incident-critical infrastructure entities, including healthcare. It also shows a 34% increase in medical device vulnerability disclosures, up from 29% in 1H 2021.
Of the 60 medical device flaws disclosed by Team82, 31 were related to firmware, 28 to software, and one vulnerability affected both firmware and software. Notably, network was the most common attack vector for medical devices, followed by local.
Action required after disclosure of defects in a medical device
It cannot be overemphasized that vulnerability disclosure is imperative to building the ability of healthcare organizations to address potential security issues at the source. However, disclosures without action can prove detrimental to the security of corporate networks and devices.
As the Unit 42 report shows, known vulnerabilities are a massive and ongoing problem in healthcare.
Unit 42 researchers examined crowdsourced data from scans of 200,000 infusion pumps found across hospital and healthcare entity networks using Palo Alto IoT Healthcare tools. Researchers found that 75% of infusers scanned had known security vulnerabilities, putting them at increased risk of compromise.
These flaws included one or more of approximately 40 known cybersecurity vulnerabilities and/or alerts that the device had one or more of approximately 70 other known security gaps in IoT devices.
The report also showed that about half of the infusion pumps analyzed were susceptible to two known vulnerabilities disclosed in 2019 (CVE-2019-12255 and (CVE-2019-12264), one classified as “critical severity” and the other “high”.
Eight of the 10 most frequently detected defects were classified as high or critical severity. The most commonly seen vulnerabilities could lead to information leaks, unauthorized access, and overflows, while flaws resulting from third-party TCP/IP stacks could still impact the device itself and the operating system. operation.
These security vulnerabilities “underscore the need for the healthcare industry to redouble its efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks,” wrote the Unit 42 researchers. But protecting vulnerable devices “goes beyond identifying and alerting devices.”
“The sheer volume of devices in the healthcare environment makes an alert-only approach risky and impractical,” they added. “Alert-only solutions require integration with third-party systems for prevention, adding to the complexity of deploying and managing those systems over time.”
Both reports provide long lists of actions and tools that providers can take to advance this ongoing challenge, joining previous insights from the health sector Coordinating Council.