The U.S. Food and Drug Administration (FDA) cautioned the health care industry to be wary about networked medical devices containing off-the-shelf (OTS) software that can connect to networks. Both health care IT professionals and manufacturers are responsible for securing medical devices by performing regular software updates and applying security patches.

Stolen medical records are 10 times more valuable to fraudsters than credit card credentials. Even though medical devices don’t house full patient records, they can be targets if they are connected to networks. Networked medical devices are part of the Internet of Things (IoT) and extend the endpoints by which intruders can gain access to computing systems that contain patient data ranging from medical records to financial information.

Cyberbreaches have devolved from straightforward data thefts to acts of mischief that can cause disruption. Health care organizations should review any medical devices that connect to networks to protect their infrastructure and patients from malicious acts.

What Medical Technologies Are Vulnerable?

Connected medical devices use various types of software to perform their functions. Health care organizations generally assume that these devices meet the relevant specifications because the manufacturers execute FDA software validation processes to assure their products perform as intended. That validation process reviews the device, vendor-created software and any OTS software used to deliver the functionality intended.

OTS software can include operating systems such as Windows or Linux, utility programs such as Adobe Flash or interface components such as text editors. The device itself may work as intended, but because cybercriminals continuously search for vulnerabilities in any networked system they can access, these devices are subject to intrusion and exploitation.

The range of systems that can be affected includes some of the most important devices used for diagnostics and patient care. The FDA lists examples including “systems that obtain, archive and communicate pictures on networks within health care facilities, such as computed tomography (CT), magnetic resonance (MR), ultrasound (US), nuclear medicine (NM) and endoscopy; systems that monitor patient activity, such as electrocardiographic (ECG) systems; and systems that communicate with clinical laboratory analyzers, such as laboratory information systems.” That encompasses computers, routers and switches that connect operating rooms to databases.

Securing Medical Devices Is a Team Effort

IT professionals at health care organizations are accustomed to managing updates and patches for their computing environments, but medical devices are generally under the purview of the practice and maintained by manufacturers. The FDA stated that manufacturers have received guidance by way of updates and restatements of the agency’s rules regarding the use of OTS software.

Device manufacturers are responsible for the safety of their software, according to the FDA’s Quality System regulation. While the manufacturers are not required to retest their systems when they issue patches and updates, they need to keep their systems compliant with their original validation.

Health care facilities should take responsibility for the safety of their patients and their data systems by performing a comprehensive inventory of their connected medical equipment. Once they have identified the equipment and associated manufacturers, they should contact each manufacturer to request system status information, as well as assurance that software updates and patches have been applied.

Cybersecurity is a shared responsibility. Medical facilities deal with a large portion of the world’s population and house troves of sensitive information. The medical devices they use to make diagnoses and deliver treatment must be kept up to date to keep this data safe.

Listen to the podcast: Data Security Insights from a Health Care Insider

More from Endpoint

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…