A recent joint research report by Health-ISAC, Finite State, and Securin Inc., offers a stark glimpse into the escalating cyber threats targeting medical devices, software applications, and healthcare systems.

This comprehensive study reveals a concerning surge in vulnerabilities that could potentially compromise patient safety and healthcare service delivery.

Alarming Statistics Unveiled

The research uncovers 993 vulnerabilities across 966 medical products and devices—a significant 59% increase from the previous year. This alarming figure underscores the growing complexity and reach of cyber threats in the healthcare sector. More disturbingly, out of these vulnerabilities, 160 are weaponized, and 101 are currently active in the wild, indicating that they are not just theoretical risks but present real and immediate dangers.

The study also highlights that Advanced Persistent Threat Groups have exploited seven of these vulnerabilities, with four linked directly to ransomware attacks. 

And in the months since the publication of our report, other research efforts have turned up data and headlines that indicate that cybersecurity continues to be a major concern into 2024:

  • A February 2024 Infoblox report on healthcare cyber trends analyzed HHS/OCR data to determine that some 118.9 million healthcare patient records were compromised by cybercrime in 2023, a number that corresponds to more than one-third (35%) of the projected US population, according to the US Census Bureau. 
  • A Proofpoint research report independently conducted by the Ponemon Institute found that 88% of healthcare organizations suffered at least one cyberattack during the last 12 months. 
  • HHS data shows a 93% rise in large breaches reported to the Office for Civil Rights between 2019 and 2022, leading to "extended care disruptions, patient diversions to other facilities, and delayed medical procedures."

The state of cybersecurity for medical devices and healthcare systems endangers patients and risks their safety and well-being. 

The High Stakes of Cybersecurity in Healthcare

Cybersecurity in healthcare is not just about protecting data; it's about safeguarding human lives. The research report shows a staggering 437% year-over-year increase in Remote Code Execution/Privilege Escalation (RCE/PE) exploits.

These exploits are particularly dangerous because they allow attackers to take control of medical devices remotely, posing severe risks to patient safety.

Expert Insights

Upon the release of the State of Cybersecurity for Medical Devices and Healthcare Systems report, Phil Englert, VP of Medical Device Security at Health-ISAC, emphasized the critical need for robust cybersecurity measures. He advocated for comprehensive risk assessments, regular updates on the latest security threats, and proactive defense strategies to enhance cyber resilience within the healthcare sector. 

Larry Pesce, Director of Product Security Research and Analysis at Finite State, pointed out the disturbing increase in firmware vulnerabilities. He called for immediate collective action to secure the software supply chain that underpins connected medical devices, stressing the direct impact on patient safety.

Kiran Chinnagangannagari, CTO of Securin, noted the heightened risk as the healthcare industry continues its digital transformation. The sophistication of cyber threats is growing, he noted, making it imperative to address these risks decisively to protect the privacy and well-being of patients.

The findings of this joint research report serve as a clarion call to all stakeholders in the healthcare industry to fortify their cybersecurity defenses. As healthcare continues to integrate more deeply with technology, the potential for cyberattacks grows, as we recently saw with the February 2024 Change Healthcare ransomware attack that may have exposed the personal data of a third of all Americans.

It's threats like these that make it essential to prioritize cybersecurity not just as a compliance requirement but as a fundamental aspect of patient care.

Read the Report Today!

Dive into the critical findings of the "2023 State of Cybersecurity for Medical Devices and Healthcare Systems" report, a joint research initiative by H-ISAC, Finite State, and Securin.

This pivotal research reveals a worrying 59% increase in firmware vulnerabilities year-over-year, alongside a sharp rise in weaponized vulnerabilities and those actively exploited in cyber attacks. Notably, the report highlights a 437% surge in Remote Code Execution (RCE) and Privilege Escalation (PE) exploits since 2022, underlining the escalating threats to patient safety and technology.

Arm yourself with essential insights by downloading the full report today and take a proactive step towards bolstering medical device cybersecurity and safeguarding healthcare.

info.finitestate.iohubfsReport Cover 2023 State of Medical

Download the Report