blackboard - stock.adobe.com

63% of known exploited vulnerabilities found on healthcare networks

A study shows just how exposed medical devices and implementations are to cyberattacks from CISA-tracked known exploited vulnerabilities.

Healthcare networks and medical devices are highly vulnerable to cyberattacks, according to a recent study from cyber-physical systems protection company Claroty.

The study found that 63 percent of known exploited vulnerabilities (KEVs) tracked by the Cybersecurity and Infrastructure Security Agency (CISA) can be found on healthcare networks. About 23 percent of medical devices, including imaging, clinical IoT and surgery devices, also have at least one KEV.

CISA maintains a database of these software vulnerabilities and weaknesses, which have been used in publicly known attacks. As CVEs disclose public exploits, CISA updates the catalog with affected vendors, publication dates, descriptions of the vulnerability and mitigation or remediation advice.

These KEVs are widespread across hospital networks, making healthcare delivery organizations vulnerable to cyberattacks that can disrupt patient systems and care. For example, the study found that 4 percent of devices used for surgeries can be accessed through a hospital’s guest network. Guest networks tend to be the least secure and most exposed place.

About 14 percent of connected medical devices are also running an unsupported or end-of-life operating system (OS). Of these devices, about a third are imaging devices, including X-ray and MRI systems. What’s troubling for hospitals is that, unlike infusion pumps or other patient devices, there are usually only a few of these devices used by the entire facility for diagnosis and prescriptive treatment.

Even more troubling is that 7 percent of surgical devices are running on these legacy systems. But even the few clinical IoT devices (23 percent) and hospital IT systems (20 percent) running on these legacy systems pose a significant risk of having critical vulnerabilities that are no longer patchable from vendors.

Patching and updating medical devices are resource-intensive for healthcare delivery organizations. The study explained that medical devices do not have the capability to regularly patch and update like Windows and Linux systems. Vulnerability patching is typically an add-on service provided by medical device manufacturers for a cost. These manufacturers may also support contracts for devices on unsupported operating systems.

"Connectivity has spurred big changes in hospital networks, creating dramatic improvements in patient care with doctors able to remotely diagnose, prescribe, and treat with a never-before-seen efficiency," Amir Preminger, vice president of research at Claroty, said in a statement.

"However, the increase in connectivity requires proper network architecture and an understanding of the exposure to attackers that it introduces. Healthcare organizations and their security partners must develop policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. This includes secure remote access, prioritizing risk management, and implementing segmentation,” Preminger continued.

Next Steps

Dig Deeper on Cybersecurity strategies