Nurse call systems, infusion pumps and medication dispensing stations are among the top connected medical devices at greatest vulnerability for cyberattacks, according to newly released research from the cybersecurity company Armis.
IP cameras and printers and Voice over Internet Protocol (VoIP) also are high on the list of risky internet-connected devices used in healthcare settings, investigators report found.
The report analyzed data from Armis Asset Intelligence and Security Platform, which tracks more than three billion assets. Some other report highlights:
- Nurse call systems are the riskiest connected medical device, with 39% having critical severity unpatched Common Vulnerabilities and Exposures (CVEs) and almost half having unpatched CVEs. Critical severity is the highest level of security risk.
- Infusion pumps are second, with 27% having critical severity unpatched CVEs and 30% having unpatched CVEs. Medication dispensing systems are in third place, with 4% having critical severity unpatched CVEs, but 86% having unpatched CVEs.
- Almost 1 in 5 connected medical devices are running unsupported OS versions.
- More than half of Internet Protocol (IP) cameras and 30% of printers monitored in clinical environments had critical severity unpatched CVEs.
“Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” Mohammad Waqas, principal solutions architect for Healthcare at Armis, said in a news release. He delivered a presentation on medical device vulnerabilities in April at the HIMSS annual conference in Chicago.
“Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety,” he added.
The US Food and Drug Administration will soon require medical device makers to include cybersecurity information in their pre-market submissions under a law passed by Congress last year. The FDA has given device makers until Oct. 1 to prepare their cybersecurity plans.
