To achieve medical device security, a Healthcare organisation must have complete visibility into the number of devices on its network, patch and replace out-of-date devices on a regular basis, and stay on top of the latest technical vulnerabilities in order to patch devices before they harm patients. The difficulty is that most Healthcare companies face considerable challenges in implementing those procedures because visibility is still a challenge as new vulnerabilities and patches are identified on a regular basis.
While there have been no reports of patients being harmed as a result of medical device vulnerabilities to yet, research has indicated that threat actors can exploit vulnerabilities and harm patients through connected medical equipment. Researchers from McAfee have uncovered vulnerabilities in two types of B. Braun infusion pumps that might allow hackers to control drug doses remotely. Furthermore, due to cybersecurity concerns, the US Food and Drug Administration (FDA) has issued a recall on a family of Medtronic insulin pumps.
Organizations rarely utilise discretion to assess the cybersecurity of networked medical equipment, according to a research undertaken by the HHS Office of Inspector General (OIG). Medical device security assessments were either weak or nonexistent, according to the OIG’s review of Medicare accreditation organisation (AO) hospital surveys. According to previous KLAS data, Healthcare companies own an average of 10,000 medical devices. The absence of asset inventories and visibility into how many devices are on their organization’s network is causing chief information security officers (CISOs) to become increasingly concerned.