Most medical devices used by hospitals are legacy devices that are still operating on Windows 7 that Microsoft no longer supports. Manufactured at a time when cybersecurity was not a preoccupation, these devices can now easily be hacked and potentially be dangerous to patients. As a result, on top of safeguarding traditional IT assets, hospitals now have to figure out a way to secure tens of thousands of legacy devices from hundreds of manufacturers connected to their network. It is a real headache for most hospitals and healthcare organizations as many of them do not even keep an inventory of their medical devices. According to a recent study only 36% of healthcare organizations know where their medical devices are.
While some devices that can cause fatal injuries, such as insuline pumps or pacemakers, are being actively monitored and recalled by the FDA, it is estimated that all other medical devices have an average of more than 6 vulnerabilities per device and that 40% of devices used by hospitals are at the end-of-life stage and do not have security patches or upgrades available.
Not surprisingly, FDA regulations in this field are lagging with the agency only saying both hospitals and manufacturers are responsible for protecting devices from cyber attacks. Hospitals are pointing fingers at manufacturers for not providing the necessary support and want the FDA to mandate lifetime support of medical devices by manufacturers. So far, the further the FDA went was to publish post-market guidance for medtechs on what they should do to secure their products. This is not enough as hospitals find themselves dealing with thousands of devices that they are supposed not only to track but also patch to prevent cyberattacks. With the ongoing Covid19 crisis, hospitals are unable to handle this task and as a result they become increasingly vulnerable to cyberattacks that could injure or kill patients.