PRESS RELEASE
NEW YORK and ORLANDO, Florida, March 12, 2024/PRNewswire/ —ClarotyThe cyber-physical systems (CPS) security company released a new report today at its annual HIMSS24 conference that revealed data regarding the security of medical devices connected to the networks of healthcare organizations such as hospitals and clinics.
CPS State of Security Report: Healthcare 2023 they discovered a staggering 63% of known exploited vulnerabilities (KEVs) monitored by CISA on these networks, and that 23% of medical devices, including imaging devices, clinical IoT devices, and surgical devices, have at least one KEV.
In the first healthcare-focused edition of The State of CPS Security report, Team82, Claroty’s award-winning research group, examines how the challenge of bringing increasingly connected medical devices and patient systems online increases exposure to the rising wave of cyberattacks aimed at disrupting hospital operations. The purpose of this research is to demonstrate the broad connectivity of critical medical devices, from imaging systems to infusion pumps, and describe the implications of their exposure online. Vulnerabilities and weaknesses in implementation often emerge in Team82’s research, and in each of these cases a direct line can be drawn to potentially negative outcomes for patients.
“Connectivity has spurred major changes in hospital networks, creating dramatic improvements in patient care with physicians able to diagnose, prescribe and treat remotely with never-before-seen efficiency,” said Amir Preminger, vice president of research at Claroty. “However, increasing connectivity requires appropriate network architecture and an understanding of the attacker exposure it introduces. Healthcare organizations and their security partners must develop policies and strategies that emphasize the need for medical devices and systems resilient that can resist intrusions. This includes secure remote access, prioritizing risk management and implementing segmentation.”
Key Findings:
Host network exposure: 22% of hospitals have connected devices that connect guest networks, which provide patients and visitors with WiFi access, and internal networks. This creates a dangerous attack vector, as an attacker can quickly find and target assets on public WiFi and leverage that access as a bridge to internal networks where patient care devices reside. In fact, Team82 research has shown that a shocking 4% of surgical devices – critical equipment that if they fail could negatively impact patient care – communicate over guest networks.
Unsupported or out of order operating systems: 14% of connected medical devices run on unsupported or end-of-life operating systems. Of the unsupported devices, 32% are imaging devices, including X-ray and MRI systems, which are vital for diagnosis and prescriptive treatment, and 7% are surgical devices.
High probability of exploitation: The report looked at devices with high Take advantage of Prediction Scoring System (EPSS) scores., which represent the probability that a software vulnerability will be exploited in the wild on a scale of 0 to 100. The analysis showed that 11% of patient devices, such as infusion pumps, and 10% of surgical devices contain vulnerabilities with high EPSS scores. Digging deeper, when looking at devices with unsupported operating systems, 85% of surgical devices in that category have high EPSS scores.
Remotely accessible devices: This research examined which medical devices are accessible remotely and found that those with a high consequence of failure, including defibrillators, robotic surgery systems and defibrillator gateways, fall into this group. Research has also shown that 66% of imaging devices, 54% of surgical devices and 40% of patient devices are accessible remotely.
To access Team82’s full set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the “CPS State of Security Report: Healthcare 2023.”
For more information on this report and Claroty’s new launch Advanced anomaly threat detection module for the Medigate by Claroty platformcome and visit us at the HIMSS Global Health Conference, booth no. 1627, which will be held March 11-15 in Orlando, Florida.
Methodology
The CPS: Healthcare 2023 State of Security Report is a snapshot of healthcare cybersecurity trends, medical device vulnerabilities and incidents observed and analyzed by Team82, Claroty’s threat research team, and our data scientists. Information and insights from open and reliable sources, including the National Vulnerability Database (NVD), the Cybersecurity and Infrastructure Security Agency (CISA), the Health Care Coordinating Council Working Group, and others, were also used to contextualize our results are inestimable.
Thanks
The lead author of this report is Chen Fradkin, full stack data scientist at Claroty. Contributors include: Ty Greenhalgh, Healthcare Industry Lead, Yuval Halaban, Risk Group Lead, Rotem Mesika, Risk and Threat Group Lead, Nadav Erez, Vice President of Data, and Amir Preminger, Vice President of Research. Special thanks to the entire Team82 and data department for providing exceptional support to various aspects of this report and the research efforts that fueled it.
About Claroty
Claroty enables organizations to protect cyber-physical systems in industrial, healthcare, commercial and public sector environments – the extended Internet of Things (XIoT). The company’s unified platform integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, threat detection and secure remote access. Backed by the world’s largest investment firms and industrial automation suppliers, Claroty is used by hundreds of organizations at thousands of sites around the world. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific and Latin America. To find out more, visit claroty.com.