IoT: The Risks of Unpatched and Outdated Medical IoT Devices

Medical IoT Devices - Risks & Mitigations

Frank Kardasz, Updated September 24, 2022

Editor: Ava Gozo.

 It is estimated that there are 10 to 15 million medical devices in U.S. hospitals. Alarmingly, eight out of ten health care organizations have experienced an IoT focused cyber attack (Landi, 2019).

The Internet of Bodies (IoB) also includes monitors that can be placed into clothing. Researchers have embedded sensors that monitor breathing heart rate and ammonia into T-shirts and face masks (Fahad Alshabouna,  et. al. September, 2022).

The FBI warns that unpatched medical devices running outdated software and lacking security features provide cyber attack opportunities. Some devices are outdated without any option to upgrade their features to provide adequate security (FBI, September 12, 2022).

Vulnerable medical devices include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and in intrathecal pain pumps. Malicious actors could compromise the devices and direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger a patient.

A government advisory from September 2022 warns about vulnerabilities with Medtronic 600 series insulin pumps. According to the advisory, "Successful exploitation of this vulnerability could allow an unauthorized user to deliver too much or too little insulin through delivery of an unintended insulin bolus or because insulin delivery is slowed or stopped" (CISA, September 20,2022).

The following mitigations are recommended:

Endpoint Protection

• Antivirus software or integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network.
• Encrypt medical device data while in transit and at rest.
• Endpoint detection and response (EDR) and Extended Detection and Response (XDR) solutions, which provides visibility on medical devices and offers protection.
  

Identity and Access Management

• Ensure default passwords are changed to secure and complex passwords specific for each medical device. 
• Limit the number of login attempts per user.
  

Asset Management

• Maintain an inventory management system for medical devices and associated software, including vendor-developed software components, operating systems, version and model numbers.
• Use inventory results to identify critical medical devices, operational properties, and maintenance time frames.
• Include replacement options for affected medical devices as part of purchasing process; if replacing the medical device is not feasible, take other mitigation precautions, such as isolating the device from network and auditing the device’s network activities.
  

Vulnerability Management

• Work with manufacturers to mitigate vulnerabilities on medical devices.
• Monitor and review software vulnerabilities disclosures by vendors and conduct independent vulnerability assessments.
• Implement a routine vulnerability scan before installing any new medical device onto the operating IT network.
  

Training to Help Mitigate Risk Associated with Employees

• Implement required training for employees on how to identify and report
  potential threats:
• Insider threats related to employees seeking to cause harm to the network or steal information. This includes training on the types of behavior and activity to look for.
• Attacks targeting employees including phishing, social engineering, and spoofing attempts to compromise their accounts or credentials.
• Email alert banners for email exchanges originating outside of the organization.
  

References

CISA. (September 20, 2022). ICS Medical Advisory (ICSMA-22-263-01)
Medtronic NGP 600 Series Insulin Pumps. https://www.cisa.gov/uscert/ics/advisories/icsma-22-263-01

Fahad Alshabouna, Hong Seok Lee, et. al. (September, 2022). PEDOT:PSS-modified cotton conductive thread for mass manufacturing of textile-based electrical wearable sensors by computerized embroidery. Materials Today, 2022; DOI: 10.1016/j.mattod.2022.07.015. https://www.sciencedaily.com/releases/2022/09/220923121721.htm

Landi, Heather. (August 29, 2019). 82% of healthcare organizations have experienced an IoT-focused cyberattack, survey finds. https://www.fiercehealthcare.com/tech/82-healthcare-organizations-have-experienced-iot-focused-cyber-attack-survey-finds

FBI. (September 12, 2022). Unpatched and Outdated Medical Devices Provide
Cyber Attack Opportunities. Dept. of Justice, FBI Cyber Division. https://www.ic3.gov/Media/News/2022/220912.pdf

=-=-=-=-=-=

https://kardasz.blogspot.com/2022/09/IoT-medical-devices.html