Compliance & Risks
Protecting healthcare customers from the threat of unpatched medical devices
Medical devices play an increasingly important role in the healthcare sector. From MRI scanners to wearable technology like blood glucose monitors, many are essential to diagnosing, monitoring and treating disease. But while they can work to improve patient health, the opposite is arguably true of IT health.
A new FBI alert warns that unpatched and outdated devices represent a serious threat vector for malicious actors to exploit. Mitigating it will require a defence-in-depth approach.
Not built to last
The FBI’s Privacy Industry Notification rightly points out that, while the hardware itself is often built to last decades, the same is not true of the software running on top. A lack of manufacturer support means this software is often out of date and unpatched. It’s a challenge exacerbated by several factors including:
- Default device configurations, which make it easier for threat actors to compromise them
- An absence of security-by-design thinking from device manufacturers
- Customised software which may delay patching further
These issues are more worrying still when you consider the escalating threat volumes facing healthcare organisations (HCOs). The sector was the third most commonly targeted by ransomware last year and second top in terms of phishing detections, according to Trend Micro data. It ranked sixth in terms of malicious files detected in emails.
Layering up defences
So how do HCOs close the security gaps created by medical devices? The FBI recommends a defence-in-depth approach including:
- Medical Device protection, as well as detection and response (XDR)
- Identity and access management, including complex passwords
- Asset management to identify all devices and their status
- Vulnerability management including routine scans
- User education including anti-phishing training
Fortunately, Trend Micro is already helping countless HCOs to mitigate medical device risks and we are delighted to announce that this capability is available to the NHS in support of new DSPT regulations. To further help over-stretched NHS staff, Trend Micro include with this capability suggested statements for the numerous Assertions to be completed within the DSPT that it satisfies.
We have developed a range of hardware and software-based solutions and services to detect and log assets, shield devices from vulnerability exploitation and rapidly detect and respond to attacks, whether our clients know about the threat or not, and without having to reboot critical systems. This capability comes in different forms to suit different scenarios, from protecting the entire data centres equipment, to clusters of, or individual medical devices.