PRESS RELEASE. NEW YORK and ORLANDO, Fla., March 12, 2024/PRNewswire/ -Claroty, the cyber-physical systems protection company, released today at the annual HIMSS24 conference a new report that uncovered concerning data about the security of medical devices connected to healthcare organization networks such as hospitals and clinics.
The State of CPS Security Report: Healthcare 2023 discovered a staggering 63% of CISA-tracked Known Exploited Vulnerabilities on these networks, and that 23% of medical devices-including imaging devices, clinical IoT devices, and surgery devices-have at least one KEV. In the first healthcare-focused edition of The State of CPS Security Report, Team82, Claroty's award-winning research group, examines how the challenge of more and more connected medical devices and patient systems coming online increases exposure to the rising tide of cyberattacks focused on disrupting hospital operations.
The aim of this research is to demonstrate the broad connectivity of critical medical devices-from imaging systems to infusion pumps-and describe the implications of their exposure online.
Vulnerabilities and implementation weaknesses frequently surface in Team82's research, and a direct line can be drawn to potentially negative patient outcomes in each of these cases.
Guest Network Exposure: 22% of hospitals have connected devices that bridge guest networks-which provide patients and visitors with WiFi access-and internal networks.
This creates a dangerous attack vector, as an attacker can quickly find and target assets on the public WiFi, and leverage that access as a bridge to the internal networks where patient care devices reside.
Team82's research showed a shocking 4% of surgical devices-critical equipment that if they fail could negatively impact patient care-communicate on guest networks.
Unsupported or End-of-Life OSs: 14% of connected medical devices are running on unsupported or end-of-life OSs.
Of the unsupported devices, 32% are imaging devices, including X-Ray and MRI systems, which are vital to diagnosis and prescriptive treatment, and 7% are surgical devices.
High Probability of Exploitation: The report examined devices with high Exploit Prediction Scoring System scores, which represent the probability that a software vulnerability will be exploited in the wild on a scale of 0-100.
Analysis showed that 11% of patient devices, such as infusion pumps, and 10% of surgical devices contain vulnerabilities with high EPSS scores.
Digging deeper, when looking at devices with unsupported OSs, 85% of surgical devices in that category have high EPSS scores.
Remotely Accessible Devices: This research examined which medical devices are remotely accessible and found those with a high consequence of failure, including defibrillators, robotic surgery systems, and defibrillator gateways, are among this group.
Research also showed 66% of imaging devices, 54% of surgical devices, and 40% of patient devices to be remotely accessible.
The State of CPS Security Report: Healthcare 2023 is a snapshot of healthcare cybersecurity trends, medical device vulnerabilities, and incidents observed and analyzed by Team82, Claroty's threat research team, and our data scientists.
Information and insights from trusted open sources, including the National Vulnerability Database, the Cybersecurity and Infrastructure Security Agency, the Healthcare Sector Coordinating Council Working Group, and others, also were used to bring invaluable context to our findings.
The primary author of this report is Chen Fradkin, full stack data scientist at Claroty.
Contributors include: Ty Greenhalgh, industry principal healthcare, Yuval Halaban, risk team lead, Rotem Mesika, threat and risk group lead, Nadav Erez, vice president of data and Amir Preminger, vice president of research.
Special thanks to the entirety of Team82 and the data department for providing exceptional support to various aspects of this report and research efforts that fueled it.
About ClarotyClaroty empowers organizations to secure cyber-physical systems across industrial, healthcare, commercial, and public sector environments: the Extended Internet of Things.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Mar 2024 23:20:17 +0000