Nurse call systems and infusion pumps have been found to be the riskiest connected medical devices, suggests a new report by asset visibility and security company Armis.
Based on the tracking of over three billion Internet of Things (IoT) and medical devices in clinical environments, the research document shows that 39% of all nurse calling systems – devices used by patients to alert caregivers when they need assistance – have critical severity unpatched Common Vulnerabilities and Exposures (CVEs). Almost half (48%) of them have unpatched CVEs.
Read more on healthcare vulnerabilities: #HowTo: Protect Healthcare Providers’ Data
The numbers are somehow lower for infusion pumps – medical devices used by healthcare professionals to deliver fluids such as nutrients or medications into a patient’s body in a controlled manner. According to Armis, 27% of them have critical severity unpatched CVEs and 30% have unpatched CVEs.
In the third spot are dedication dispensing systems used to organize, prepare, prescribe and deliver prescription drugs to patients. Roughly 4% have critical severity unpatched CVEs, but the number is much larger for those with unpatched CVEs (86%). Moreover, 32% of them run on unsupported Windows versions.
Unsupported software issues extend to other devices as well. The Armis report suggested that 19% of all connected medical devices are running unsupported OS versions.
Further, the company observed that IP cameras were the riskiest IoT device in clinical environments, with over half of them having critical severity unpatched CVEs (56%) and unpatched CVEs (59%).
Printers were the second riskiest IoT device in clinical environments, with 37% of them having unpatched CVEs and 30% having critical severity unpatched CVEs.
VoIP was third in the IoT list, with more than half of them (53%) having unpatched CVEs. Interestingly, only 2% of them have critical severity unpatched CVEs.
“These numbers are a strong indicator of the challenges faced by healthcare organizations globally. Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” commented Mohammad Waqas, principal solutions architect for healthcare at Armis.
“Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”
The Armis report comes weeks after Microsoft observed the threat actor KillNet targeting healthcare applications hosted using the Microsoft Azure infrastructure.