FBI Notice: Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities

Sep 21, 2022 at 12:54 pm by Staff


Please contact the FBI with any questions related to this Private Industry Notification via your local FBI Cyber Squad.

www.fbi.gov/contact-us/field-offices

 

Threat  

Medical device hardware often remains active for 10-30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities. Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyber attacks. 

In addition to outdated software, many medical devices also exhibit the following additional vulnerabilities:

Medical devices have known vulnerabilities that impact various machines used for healthcare purposes, including those that sustain patients with mild to severe medical conditions.

Recommendations 

The FBI recommends considering the following to actively secure medical devices, identify vulnerabilities, and increase employee awareness reporting in order to help mitigate the risk posed by medical devices. 

                        o If supported by the medical device, use antivirus software on an endpoint. If not supported, providing integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network.

                        o Encrypt medical device data while in transit and at rest. o Utilize endpoint detection and response (EDR) and Extended Detection and Response (XDR) solutions, which provides visibility on medical devices and offers protection.

                        o Ensure default passwords are changed to secure and complex passwords specific for each medical device. If supported by medical device, limit the number of login attempts per user.

                        o Maintain an electronic inventory management system for all medical devices and associated software, including vendor-developed software components, operating systems, version and model numbers.

                        o Use inventory results to identify critical medical devices, operational properties, and maintenance timeframes.

                        o Consider replacement options for affected medical devices as part of purchasing process; if replacing the medical device is not feasible, take other mitigation precautions, such as isolating the device from network or auditing the device’s network activities.

                        o Work with manufacturers to help mitigate vulnerabilities on operational medical devices.

                        o Monitor and review medical devices’ software vulnerabilities disclosures by vendors and conduct independent vulnerability assessments.           

                         o Implement a routine vulnerability scan before installing any new medical device onto the operating IT network.

                        o Implement required training for employees on how to identify and report potential threats:

Sections: Business/Tech