Joint research project from Health-ISAC, Finite State, and Securin discovers nearly 1,000 vulnerabilities spanning 966 medical products

COLUMBUS, Ohio, Ormond Beach, FL & Albuquerque, NM — August 8, 2023 — Health-ISAC, Finite State, and Securin, Inc., released today a joint research report targeting medical devices, software applications, and healthcare systems. The research found that 993 vulnerabilities–a 59% year-over-year increase from 2022–lurk within 966 medical products and devices, and attackers could exploit them to target a healthcare facility. 

Of the 993 vulnerabilities, 160 are weaponized and 101 are trending in the wild. Additionally, Advanced Persistent Threat Groups are exploiting seven, and four are associated with ransomware.

"Healthcare organizations must prioritize cybersecurity measures, employ robust cybersecurity practices, conduct regular risk assessments, and stay updated on the latest security threats and technologies to proactively protect against cyber threats,”  said Phil Englert, Health-ISAC’s VP of Medical Device Security. “Health-ISAC focuses on enhancing cyber resilience within the global healthcare sector by facilitating collaboration, sharing threat intelligence, developing and sharing best practices and providing resources and support to its members to build resilience within member organizations and the healthcare community as a whole."

Software and firmware that power connected medical products and devices paramount to human health and safety are increasingly at risk due to high numbers of critical and high-rated vulnerabilities. In fact, 43 vulnerabilities–a 437% year-over-year increase from 2022–have been categorized as RCE/PE exploits, making them dangerous and attractive to hackers. These results highlight a growing need to strengthen software supply chain security by securing connected medical products and devices.

“Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security," said Larry Pesce, Director of Product Security Research and Analysis at Finite State. "The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety."

Healthcare, a critical infrastructure classified by the US Government, continues to be a prime target for cyberattacks, posing potential consequences ranging from network disruptions to compromised medical equipment, which could lead to fatal outcomes.

"As the healthcare industry continues to digitize, cyber threats are becoming increasingly sophisticated, putting the privacy and safety of patients at risk,” said Kiran Chinnagangannagari, CTO of Securin. “It is important to understand and address these risks head on, to protect patients’ data and well-being.” 

Read our research report to see the survey’s full findings. 

About Finite State
Finite State empowers organizations to gain control of application and product security for their connected devices and software supply chains. Across the software supply chain lifecycle, Finite State is the single pane of glass for customers that provides continuous visibility into software supply chain risk.Backed by a team of seasoned experts, Finite State’s platform arms customers with the automation to scale risk mitigation and 2B+ data points to deliver actionable SBOM’s and insights, critical vulnerability data and the remediation guidance necessary to mitigate AppSec and product risk to protect the connected attack surface.

About Health-ISAC
Health-ISAC — a non-profit, private sector, member-driven organization — plays an essential role in providing situational awareness around cyber and physical security threats to the Healthcare Sector so that companies can detect, mitigate, and respond to ensure operational resilience. Health-ISAC connects thousands of healthcare security professionals worldwide to share peer insights, real-time alerts, and best practices in a trusted, collaborative environment. As the go-to source for timely, actionable, and relevant information, Health-ISAC is a force-multiplier that enables healthcare organizations of all sizes to enhance situation awareness, develop effective mitigation strategies and proactively defend against threats every single day.

About Securin
Securin is a leading provider of tech-enabled cybersecurity services, helping customers gain resilience against emerging threats. Our products and services are powered by accurate vulnerability intelligence, human expertise, and automation, enabling enterprises to make critical security decisions to manage their expanding attack surfaces.

2023 State of Cybersecurity for Medical Device and HDOs