On Tuesday, the FBI issued a report offering recommendations to address a number of cybersecurity vulnerabilities in active medical devices stemming from outdated software, as well as the lack of security features in older hardware.

Once exploited, the vulnerabilities could impact healthcare facility operations, patient safety, data confidentiality and data integrity. If a cyberattacker takes control, they can direct devices to give inaccurate readings, administer drug overdoses or otherwise endanger patient health.

The FBI noted in its briefing that a mid-year healthcare cybersecurity analysis found that equipment vulnerable to cyberattacks includes insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps.

Routine challenges include the use of standardized configurations, specialized configurations – including a substantial number of managed devices on a network – and the inability to upgrade device security features, according to the FBI's announcement.

The agency further adds that research has found an average of 6.2 vulnerabilities per medical device and that 40% of medical devices at the end-of-life stage offer little to no security patches or upgrades.

The new briefing is available to help healthcare IT managers act to identify and secure devices and raise employee awareness through risk mitigation training. It reviews:

• Endpoint protection.

• Identity and access management.

• Asset management.

• Vulnerability management.

• Training to help mitigate risks associated with employees.

The FBI also requests to be notified through local field offices about suspicious or criminal activity involving medical devices, including the organization name, contact; the date, time and location; the type of activity; the number of people affected; and the type of equipment.

Access the recommendations on the American Hospital Association website.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.