Claroty released a new report that uncovered concerning data about the security of medical devices connected to healthcare organization networks.

The State of CPS Security Report: Healthcare 2023 discovered a staggering 63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) on these networks, and that 23% of medical devices—including imaging devices, clinical IoT devices, and surgery devices—have at least one KEV.

In the first healthcare-focused edition of The State of CPS Security Report, Team82, Claroty’s award-winning research group, examines how the challenge of more and more connected medical devices and patient systems coming online increases exposure to the rising tide of cyberattacks focused on disrupting hospital operations. The aim of this research is to demonstrate the broad connectivity of critical medical devices—from imaging systems to infusion pumps—and describe the implications of their exposure online. Vulnerabilities and implementation weaknesses frequently surface in Team82’s research, and a direct line can be drawn to potentially negative patient outcomes in each of these cases.

“Connectivity has spurred big changes in hospital networks, creating dramatic improvements in patient care with doctors able to remotely diagnose, prescribe, and treat with a never-before-seen efficiency,” says Amir Preminger, vice president of research at Claroty.

“However, the increase in connectivity requires proper network architecture and an understanding of the exposure to attackers that it introduces. Healthcare organizations and their security partners must develop policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. This includes secure remote access, prioritizing risk management, and implementing segmentation,” Preminger adds.

Key findings:

  • Guest network exposure: 22% of hospitals have connected devices that bridge guest networks—which provide patients and visitors with WiFi access—and internal networks. This creates a dangerous attack vector, as an attacker can quickly find and target assets on the public WiFi, and leverage that access as a bridge to the internal networks where patient care devices reside. In fact, Team82’s research showed a shocking 4% of surgical devices—critical equipment that if they fail could negatively impact patient care—communicate on guest networks.
  • Unsupported or end-of-life OSs: 14% of connected medical devices are running on unsupported or end-of-life OSs. Of the unsupported devices, 32% are imaging devices, including X-Ray and MRI systems, which are vital to diagnosis and prescriptive treatment, and 7% are surgical devices.
  • High probability of exploitation: The report examined devices with high Exploit Prediction Scoring System (EPSS) scores, which represent the probability that a software vulnerability will be exploited in the wild on a scale of 0-100. Analysis showed that 11% of patient devices, such as infusion pumps, and 10% of surgical devices contain vulnerabilities with high EPSS scores. Digging deeper, when looking at devices with unsupported OSs, 85% of surgical devices in that category have high EPSS scores.
  • Remotely accessible devices: This research examined which medical devices are remotely accessible and found those with a high consequence of failure, including defibrillators, robotic surgery systems, and defibrillator gateways, are among this group. Research also showed 66% of imaging devices, 54% of surgical devices, and 40% of patient devices to be remotely accessible.

Team82’s complete set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, are available by downloading the State of CPS Security Report: Healthcare 2023.