According to a recent report by Palo Alto’s Unit 42 roughly 75% of smart infusion pumps are vulnerable to attack. For those that do not know what an infusion pump is, it is a device that allows for automated administration of fluids, antibiotics, pain control medication etc. These pumps are vital to proper patient maintenance plans and in some cases are an absolute necessity as the manual administration of medication and other treatments would not be possible. The fact that 75% of them are vulnerable to attack is simply insane, although it is not shocking.
We have previously reported that most healthcare organizations are not prepared for security events due to pressure from clinical staff to ensure that all devices are running 100% of the time. This is often combined with clinical applications that are not running on current operating systems and that have requirements to be vulnerability scanner free and anti-malware free. To call it a mess is a vast understatement. When it comes to life-safety gear like infusion pumps they often face other challenges like FDA exclusions that vendors use when it is difficult to maintain security on a device without potential impacts. These exclusions end up either leaving an organization vulnerable to attack or create a necessity for complicated mitigation or compensating controls that require even more management and effort on the part of the security and/or operations team.
There is good news on this front though as the FDA has changed many of their guidelines and policies due to the increase threats against healthcare organizations. They have released new standards for the manufacture of new devices in 2021. They have also actively been recalling devices that are extremely susceptible to risk. This is good news moving forward, but the refresh rate for equipment like this in Hospitals is very slow so things are not likely to change any time soon.
Getting back to the report outside of 75% being vulnerable to well known and documented vulnerabilities that could impact the function of the device, disclose patient information and put lives at risk, it was found that 52% of the devices polled have vulnerabilities that were disclosed in 2019. This was out of 200,000 infusion pumps that Palo Alto had access to via their own device security services. It this is what is being identified in that relatively small footprint, think about that the actual numbers might be like.
The report from Unit 42 shows that Healthcare organizations are still not where they need to be to prevent attacks. They cite a lack of proper network segmentation, compensating controls, poor security training for clinical staff and a general failure to implement best practices. To this we would add that, in many cases, the Clinical administrators have little to no buy-in for security measures. The often push back on anything that they feel will complicate their work regardless of the reasons for it. Changes are typically difficult to implement with very long lead times on getting new security practices, policies, and services in place. This type of resistance leads to very insecure organizations. It also leaves the security teams frustrated and unable to do the work they should be doing. Healthcare organizations are also notorious for not wanting to spend the money they should on making sure their environments are secure. It is a complicated mess that is not likely to change soon although we hope that the events of 2020 and 2021 do help push things in the right direction.