59% Year-over-year Increase in Exploitable Vulnerabilities in Medical Devices
A joint research project by Health-ISAC, Finite State, and Securin has revealed exploitable vulnerabilities in medical devices have increased by almost 60% since 2022. The researchers identified almost 1,000 vulnerabilities in 966 medical products, which is a 59% year-over-year increase from 2022. 993 vulnerabilities were identified that could be exploited by malicious actors to gain access to healthcare networks, 160 of the identified vulnerabilities have already been weaponized, and a further 101 are trending in the wild. Advanced Persistent Threat (APT) actors are known to be actively exploiting 9 of the vulnerabilities, and 7 are being actively exploited by ransomware gangs.
A recent study by Akamai found cybercriminal groups, and ransomware gangs in particular, are increasingly exploiting vulnerabilities in software, firmware, and operating systems to gain initial access to networks. Threat actors are devoting resources to in-house research to identify zero-day vulnerabilities in software solutions that can be mass exploited in attacks. The Clop threat group, for example, identified a zero-day vulnerability in Fortra’s GoAnywhere MFT solution and exploited it to gain access to the sensitive data of dozens of organizations, while the zero-day vulnerability in Progress Software’s MOVEit Transfer solution was used to attack at least 621 organizations worldwide. Cyber threat actors are also purchasing exploits for known vulnerabilities and exploiting vulnerabilities before organizations have time to apply the patches and before vendors have released patches.
The increase in high severity and critical vulnerabilities in the software and firmware of connected medical devices is a major cause of concern. The research project found a 437% year-over-year increase in remote code execution and privilege escalation vulnerabilities, which are especially attractive to hackers and particularly dangerous for healthcare organizations. “Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security,” said Larry Pesce, Director of Product Security Research and Analysis at Finite State. “The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety.”
The 2023 IBM Security Cost of a Data Breach Report revealed healthcare data breaches now cost almost $11 million, although far more serious than the financial cost is the risk to patient safety. Hackers could alter patient data resulting in a misdiagnosis or incorrect treatment being delivered, treatment is often delayed due to cyberattacks that take electronic medical record systems and other essential IT systems offline, and cyberattacks often cause financial harm to patients, with attacks often leading to identity theft and fraud. There have also been multiple cases recently where highly sensitive medical information of patients has been leaked online, including naked images, and threat actors have been attempting to extort patients directly.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The report makes several recommendations for protecting against attacks that exploit vulnerabilities: ensure a regular penetration testing cadence; prioritize patching based on known risks; incorporate binary analysis tools into the security strategy to generate a Software Bill of Materials (SBOM) and use the results for pen testing; and mandate that all vendors follow a secure-by-design methodology. The report is available on this link: 2023 State of Cybersecurity for Medical Devices and Healthcare Systems,
