The FBI has published a Private Industry Notification (PIN) warning of security risks posed by unpatched and legacy medical devices. According to the notification, risks include outdated software, using default configurations, and devices designed without security in mind. The FBI’s recommendations include implementing endpoint protection, access management, asset and vulnerability management, and employee training.
Note
- One thing often overlooked when it comes to procuring smart devices (may it be a car that interfaces with a smart phone or a wifi controlled infusion pump) is the fact that vendors typically have rather limited “end of support” timelines. We are used to have devices like this last for a decade or longer while software support often expires after a couple years. Will your car still be able to interface with the phone released in 2032?
- These devices have a 10-30 year lifespan, and when they were installed the threat landscape was nothing like it is today. In many cases you’re unlikely to be ready to retire them and may not be able to update them either. Aside from formally tacking the lifecycle of these devices, make sure they are as isolated as possible, have firm plans (which may require hard conversations) about keeping them updated.
- Intuitively the risk is to the health of patients. However, security is a space in which intuition does not serve us well. More likely is the risk that, using gratuitous general purpose operating system code in the device, it will be co-opted into a botnet.
Read more in
- Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities (PDF)
- FBI: Legacy medical devices pose risk of exploit, patient safety impacts
- FBI recommends action to protect vulnerable medical devices from cyberattacks
- FBI Warns of Patient Safety, Security Risks Associated With Legacy Medical Devices
