Cybersecurity Vulnerabilities in Medical Devices

Written By Josephino Cambosa

Claroty, a cyber-physical systems protection company, released their Team82's research that analyzed 2.25 million Internet of Medical Things (IoMT) and 647,000 Operational Technology (OT) devices from 351 healthcare organizations.

OT Devices:

  • Building Automation Devices

  • Building Automation Controllers

  • Uninterruptible Power Supplies

  • Temperature Sensors

  • Power Distribution Units

IoMT Devices:

  • Imaging

  • Patient Devices

  • Surgical Devices

  • Clinical Lab

  • Clinical IoT

  • Hospital Information Systems

Highlights

  • 99% of the 351 organizations in the data set were exposed to confirmed known exploited vulnerabilities. 89% of those organizations were running medical systems vulnerable to publicly available exploits often taken advantage of by ransomware group, and those medical devices were insecurely connected to the Internet.
  • 8% of X-ray, CT, MRI, ultrasound and other Imaging machines were deemed the device category most at risk within the evaluated data set. These devices were insecurely connected to the Internet and contained known exploited vulnerabilities, impacting 85% of the 351 organizations.
  • 20% of hospital information systems managing HIPAA-protected patient data, administrative information, and finances were insecurely connected to the Internet and contained known exploited vulnerabilities
  • 9% of IoMT devices were confirmed to contain known exploited vulnerabilities.

Additional Information

The key differences of Operational Technology (OT) systems from Information Technology is that they are designed to be autonomous, isolated, self-contained, and utilize proprietary software instead of regular operating systems. Likewise, OT systems are expected to lack the security tools present within normal IT environments.

Additionally, 2025 is expected to present new challenges for medical devices. Advanced features like artificial intelligence (AI) integration both increases medical device sophistication and attack surface. Likewise, more sophisticated security measures must be implemented to protect healthcare organizations as well as patient data. On the other hand, threat actors can leverage advancements in AI against targeted organizations. Example outcomes are

When assessing the potential attack vectors present in medical devices, some considerations include: age of the device, how often devices are updated, ease of updating devices, and firmware/software availability. Some unique issues pertaining to medical, IoMT, or OT devices includes the reality that firmware/software updates may not be as straight-forward as accomplishing the task in an IT environment.

Call to Action

Compromised OT systems can have a devastating impact on healthcare organizations by exposing building management systems, which affect heating, ventilation, air conditioning, electrical systems, elevators, and water distribution. Consider how some medications require temperature-controlled environments for proper storage, or how an elevator would be necessary to quickly transport a bedridden patient to another floor. The availability and quality of patient care is directly related to how healthcare organizations decide to mitigate these vulnerabilities. Our security teams can identify highly targeted systems and prioritize the actual, not theoretical, areas of risk to reduce your expose to these attack vectors.

Future-Proof Devices by working on the following:

  • Continuously update and review your software bill of materials (SBOM)
  • Utilize encryption for data exchange / data in transit to avoid interception or tampering
  • Create and adapt risk management strategies
  • Leverage security teams to conduct vulnerability scanning, security auditing, and penetration testing to proactively increase defenses against emerging threats

Current Events

Congressman Brett Guthrie (KY-02), Chairman of the House Committee on Energy and Commerce, and Congressman Gary Palmer (AL-06), Chairman of the Subcommittee on Oversight and Investigations, announced a hearing titled Aging Technology, Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices. on March 25, 2025.

“Medical devices are critically important and broadly used to diagnose, monitor, and treat patients throughout health care delivery systems. Some medical devices, however, contain cybersecurity vulnerabilities. It is imperative we defend against cyber threats to protect patients and safeguard our national security,” said Chairmen Guthrie and Palmer. “This hearing will provide us with an opportunity to examine concerns regarding vulnerabilities in legacy medical devices, their impact on patient safety and health operations, and strategies to enhance cyber resilience.”

WHAT: Subcommittee on Oversight and Investigations hearing on cybersecurity vulnerabilities in legacy medical devices.

DATE: Tuesday, April 1, 2025

TIME: 10:30 AM ET

LOCATION: 2322 Rayburn House Office Building

Josephino Cambosa
Next

Medusa Ransomware