Medical device disclosures on the rise, but providers struggle to patch known flaws

Recent Claroty research shows that the number of vulnerability disclosures, including those for medical devices, are on the rise. However, patch management struggles may be impeding that progress. As seen with new Palo Alto research on infusion pump vulnerabilities, the majority of these devices are operating with known flaws.

The two reports impart the continued challenges to securing medical devices in the healthcare environment: the continued chasm between responsible disclosures and providers' ability to close known security gaps.

Specifically, Claroty research shows over half of vulnerabilities in end-of-life products are remotely exploitable, while the majority of infusion pumps examined by Palo Alto Networks Unit 42 hold known security gaps.

Numerous studies have shown healthcare’s heavy reliance on medical devices built on legacy systems or those in end-of-life stages for a variety of reasons, including that it’s simply not cost effective to replace a fully functioning MRI or other large machine.

Any large hospital or clinic can hold as many as a thousand or more infusion pumps, which are often hard to track due to a host of challenges with inventory. As noted in the Unit 42 report, the average infusion pump has a lifespan of eight to 10 years, which means that use of legacy equipment will persist and continue to hamper security efforts.

“Recalls, whether due to mechanical failure or cybersecurity vulnerability, can be a source of anxiety for supply chain managers, clinical engineers and IT security teams,” Unit 42 researchers explained. “An oversight or a miss in any of these areas, whether the devices need repair, maintenance, software patches or updates, can put patient lives or sensitive information at risk.”

Healthcare organizations also struggle to maintain strong patch management policies able to swiftly remediate vulnerabilities after disclosure, despite a number of federal and private sector efforts to support and educate providers with remediation. As it stands, many providers assess and accept a certain amount of risk, which makes the Unit 42 research slightly alarming.

As noted in the Claroty report, its Team82 found and disclosed 110 vulnerabilities in the second half of 2021 (29 found in end-of-life devices).

More than half of the vulnerabilities in end-of-life platforms are remotely exploitable and could lead to code execution of denial-of-service if exploited. Further, medical devices held the third-most end-of-life products with vulnerabilities, behind basic control devices and supervisory control devices.

Of the disclosed flaws, 34% impact IoT, IT, and IoMT products. The report covers data from all commercial products running incident critical infrastructure entities, including healthcare. It also shows a  34% increase in medical device vulnerability disclosures, up from 29% in 1H 2021.

Of the 60 medical device flaws disclosed by Team82, 31 were tied to firmware, 28 held in software, and one vulnerability impacted both firmware and software. Notably, the network was the most common attack vector for medical devices, followed by local.

Action needed after disclosure of medical device flaws

It can’t be overstated that vulnerability disclosures are imperative to strengthening the ability of healthcare organizations to remediate potential security issues at the source. However, disclosures without action can prove detrimental to keeping the enterprise networks and the devices safe. 

As seen with the Unit 42 report, known vulnerabilities are a massive, ongoing issue in the healthcare sector.

Unit 42 researchers examined crowdsourced data from scans of 200,000 infusion pumps found on hospital and healthcare entity networks using Palo Alto IoT Healthcare tools. The researchers found 75% of scanned infusion pumps held known security gaps, placing them at a heightened risk of compromise.

These flaws included one or more of approximately 40 known cybersecurity vulnerabilities and/or alerts that the device had one or more of about 70 other known security shortcomings in IoT devices. 

The report also showed about half of the scanned infusion pumps were susceptible to two known vulnerabilities disclosed in 2019 (CVE-2019-12255 and (CVE-2019-12264), one ranked as “critical severity” and the other “high.”

Eight of the 10 most commonly detected flaws were ranked high or critical severity. The most commonly observed vulnerabilities could lead to the leakage of information and unauthorized access and overflow, while the flaws that stemmed from third-party TCP/IP stacks could still impact the device itself and the operating system.

These security gaps “highlight the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks,” Unit 42 researchers wrote. But protecting vulnerable devices “goes beyond device identification and alerting.”

“The sheer volume of devices in the healthcare environment makes an alert-only approach risky and impractical,” they added. “Alert-only solutions require integration with third-party systems for prevention, adding to the complexity of deploying and managing these systems over time.”

Both reports provide long lists of actions and tools providers can take to move the needle on this ongoing challenge, joining previous insights from the Health Sector Coordinating Council.