Report: 1 in 5 connected medical devices run on unsupported operating systems

New data found that 1 in 5 connected medical devices run on unsupported operating systems (OS). The information from asset visibility and security company Armis analyzed data collected by its Asset Intelligence and Security Platform, which tracks more than 3 billion assets. 

Outdated operating systems remain a top medical device security challenge as health care organizations continue to rely on legacy devices. As old Windows versions get phased out, devices may not be receiving key security updates. 

In health care, many medical devices remain in use for a decade or longer. Replacing expensive devices every time an operating system goes out-of-date is not a sustainable strategy, but vulnerable devices may leave organizations open to increased security risks. 

The report also found nurse call systems to be the riskiest Internet of Medical Things (IoMT) device. Nurse call systems give providers the ability to maintain communication between patients and providers on the hospital floor. 

According to data, 39% of analyzed nurse call systems have critical severity unpatched Common Vulnerabilities and Exposures (CVEs), and 48% of nurse call systems have unpatched CVEs of varying severity levels. 

Infusion pumps and medication dispensing systems followed behind nurse call systems, with 27% and 4% having critical severity unpatched CVEs, respectively. It is important to note that 86% of medication dispensing systems had unpatched CVEs, beyond just the critical severity vulnerabilities. Even low-to-medium-severity vulnerabilities may cause disruptions in care. 

What’s more, 32% of medication dispensing systems run on unsupported versions of Windows, further exemplifying the prevalence of outdated operating systems in medical environments. 

In terms of traditional IoT devices, Armis found IP cameras, printers, and VoIP devices to be among the riskiest devices in clinical environments. 

“These numbers are a strong indicator of the challenges faced by health care organizations globally. Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” Mohammad Waqas, principal solutions architect for health care at Armis, said in a press release. 

“Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.” 

In addition to recently passed legislation that will set stricter guidelines for the security of medical devices, health care organizations should consider network segmentation and zero trust strategies to mitigate risk.