A new report from Unit 42 says there is a 41% rate of attacks exploiting healthcare device vulnerabilities through network-connected devices to exploit known weaknesses. A new shift has been seen from IoT botnets conducting denial-of-service attacks to more sophisticated attacks targeting patient identities, corporate data, and monetary profit via ransomware.
For the time being, medical devices are in a critical state and are running outdated operating systems. Due to their long lifecycles, medical IoT devices are among the worst offenders when it comes to running outdated and, in many cases, end-of-life operating systems, Unit 42 said. These devices are neither maintained by IT nor supported by the operating system vendors.
Biomedical engineers who maintain medical devices often lack the training and resources needed to follow IT security best practices for employing password rules, storing passwords securely, and maintaining up-to-date patch levels on devices.
The National Cybersecurity Center of Excellence (NCCoE) completed a medical IoT device security project in 2019 called Securing Picture Archiving and Communication Systems (PACS). NCCoE found that 83% of all medical imaging systems run on end-of-life operating systems with known vulnerabilities and no security updates or patch support. This is a 56% jump from 2018 as a result of Windows 7 reaching its end of life.