Exploitable Vulnerabilities That Expose Healthcare Facilities Surged Nearly 60% Since 2022, New Research Report Finds
A Foreword from the Health-ISAC
Improving patient safety and protecting healthcare from cybersecurity threats is our top priority at Health-ISAC. The healthcare sector is essential to a country’s
national security infrastructure. Cyber-attacks on healthcare systems can have broader implications for public health and national security.
If hackers gain unauthorized access to medical records or alter patient data, it can result in misdiagnosis, incorrect treatment plans, or delayed care. In severe
cases, patients’ lives could be at risk. Protecting medical histories, test results, insurance details, and personal information is crucial to maintain patient privacy
and confidentiality. Breaches can lead to identity theft, fraud, or exposure to highly sensitive medical conditions. Cyber espionage or intellectual property theft can
undermine medical research, stalling medical advancements. Modern healthcare relies heavily on interconnected systems and medical devices. If these systems lack
adequate cyber security, they become entry points for intruders who can infiltrate the broader healthcare network.
While the health sector has made much progress in improving cyber resilience over the last decade, the research and analysis in this report continue to shed light on the
depth and breadth of challenges that exist to secure the healthcare ecosystem. Health-ISAC continues to build a global healthcare community to empower trusted
relationships to prevent, detect, and respond to cybersecurity and physical security events so that organizations can focus on improving health and saving lives.
Health-ISAC continues to team with leading security firms to provide valuable resources for our members to identify and secure their environments.
Joint research project from Health-ISAC, Finite State, and Securin discovers nearly 1,000 vulnerabilities spanning 966 medical products
COLUMBUS, Ohio, Ormond Beach, FL & Albuquerque, NM — August 8, 2023 — Health-ISAC, Finite State, and Securin, Inc., released today a joint research report targeting medical devices, software applications, and healthcare systems. The research found that 993 vulnerabilities–a 59% year-over-year increase from 2022–lurk within 966 medical products and devices, and attackers could exploit them to target a healthcare facility.
Of the 993 vulnerabilities, 160 are weaponized and 101 are trending in the wild. Additionally, Advanced Persistent Threat Groups are exploiting seven, and four are associated with ransomware.
“Healthcare organizations must prioritize cybersecurity measures, employ robust cybersecurity practices, conduct regular risk assessments, and stay updated on the latest security threats and technologies to proactively protect against cyber threats,” said Phil Englert, Health-ISAC’s VP of Medical Device Security. “Health-ISAC focuses on enhancing cyber resilience within the global healthcare sector by facilitating collaboration, sharing threat intelligence, developing and sharing best practices and providing resources and support to its members to build resilience within member organizations and the healthcare community as a whole.”
Software and firmware that power connected medical products and devices paramount to human health and safety are increasingly at risk due to high numbers of critical and high-rated vulnerabilities. In fact, 43 vulnerabilities–a 437% year-over-year increase from 2022–have been categorized as RCE/PE exploits, making them dangerous and attractive to hackers. These results highlight a growing need to strengthen software supply chain security by securing connected medical products and devices.
“Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security,” said Larry Pesce, Director of Product Security Research and Analysis at Finite State. “The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety.”
Healthcare, a critical infrastructure classified by the US Government, continues to be a prime target for cyberattacks, posing potential consequences ranging from network disruptions to compromised medical equipment, which could lead to fatal outcomes.
“As the healthcare industry continues to digitize, cyber threats are becoming increasingly sophisticated, putting the privacy and safety of patients at risk,” said Kiran Chinnagangannagari, CTO of Securin. “It is important to understand and address these risks head on, to protect patients’ data and well-being.”
Read our research report to see the survey’s full findings.
About Finite State
Finite State empowers organizations to gain control of application and product security for their connected devices and software supply chains. Across the software supply chain lifecycle, Finite State is the single pane of glass for customers that provides continuous visibility into software supply chain risk.
Backed by a team of seasoned experts, Finite State’s platform arms customers with the automation to scale risk mitigation and 2B+ data points to deliver actionable SBOM’s and insights, critical vulnerability data and the remediation guidance necessary to mitigate AppSec and product risk to protect the connected attack surface.
About Health-ISAC
Health-ISAC — a non-profit, private sector, member-driven organization — plays an essential role in providing situational awareness around cyber and physical security threats to the Healthcare Sector so that companies can detect, mitigate, and respond to ensure operational resilience. Health-ISAC connects thousands of healthcare security professionals worldwide to share peer insights, real-time alerts, and best practices in a trusted, collaborative environment. As the go-to source for timely, actionable, and relevant information, Health-ISAC is a force-multiplier that enables healthcare organizations of all sizes to enhance situation awareness, develop effective mitigation strategies and proactively defend against threats every single day.
About Securin
Securin is a leading provider of tech-enabled cybersecurity services, helping customers gain resilience against emerging threats. Our products and services are powered by accurate vulnerability intelligence, human expertise, and automation, enabling enterprises to make critical security decisions to manage their expanding attack surfaces.
Report Overview
The 2023 State of Cybersecurity for Medical Devices and Healthcare Systems report finds that the software and firmware powering connected medical devices and healthcare applications are increasingly at risk due to numerous critical and high-rated vulnerabilities.
The research, conducted collaboratively by Securin, Finite State, and Health Information Sharing and Analysis Center (Health-ISAC), focused on analyzing credible public disclosures of cyber vulnerabilities. This analysis specifically targeted medical devices, software applications, and healthcare systems. The research assessed a total of 117 medical device and healthcare application vendors along with their 966 products.
- Related Resources & News
- 2024 Newsletter – December
- Health-ISAC Hacking Healthcare 11-26-2024
- Privileged Access Management: A Guide for Healthcare CISOs
- Hobby Exercise 2024 After Action Report
- Vulnerability Metrics and Reporting
- 2024 Annual Member Satisfaction Survey Results
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024