The Internet of Things is all around us. But it doesn’t stop there—now it’s inside us too. As the era of “connected everything” explodes, so does the use of network-connected medical devices. These interconnected devices, ranging from hospital imaging equipment to implantable pacemakers to infusion pumps, help healthcare providers and patients in a variety of tasks—monitoring vitals, regulating dosages, improving diagnostics, and more. But the convenience of this functionality comes with a trade-off: vulnerability. If attackers gain access to a connected medical device, the potential consequences include severe injury and even death. Consider this:
- U.S. hospitals have an average of 10–15 connected medical devices per bed.
- More than 100,000 devices and systems are publicly exposed at healthcare organizations worldwide.
- A 2011 review suggested that at least 6.7 million people in the United States receive medical device implants every year.
- An analysis of 50 hospitals found these security issues in their connected medical devices:
- User practice issues (41%): The device can download unapproved applications or visit risky websites
- Outdated operating systems and software (33%)
- Lateral movement (12%): An attacker gaining access to the device can access other devices and systems on the network
- Unprotected communications and weak passwords (11%)
- Network segregation (3%): The network the device is on provides too much access for the device’s needs
How secure are your network-connected medical devices?
Given these statistics, it isn’t surprising that among medical device manufacturers, two-thirds believe an attack on a medical device they built is likely within the next year. But only 17% have taken significant steps to prevent an attack. Making matters worse, less than half of manufacturers—and only 22% of healthcare delivery organizations—have a device incident response plan in place.
Thankfully, reports of device hacks are still rare, and there have been no deaths. It seems that so far, the benefits outweigh the risks. And the FDA’s adoption of UL 2900-2-1 as a premarket certification standard is a step in the right direction. But the number of vulnerabilities identified—and recalls and updates issued—is increasing steadily. Check out the timeline below to learn more about the history of security vulnerabilities in medical devices.
Worried about your IoT devices getting hacked?
*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Julian Alvarado. Read the original post at: https://www.synopsys.com/blogs/software-security/network-connected-medical-devices/