Two separate reports this month note security vulnerabilities affecting medical and other “Internet of Things” devices. Forescout’s Vedere Labs and CyberMDX announced the discovery of seven vulnerabilities, three rated critical by CISA. These Access:7 susceptibilities affect Parametric Technology Corporation’s Axeda agent. PTC’s Axeda platform is used to remotely access and manage over 150 devices from more than 100 IoT vendors.
The list of affected devices includes many related to healthcare, making the threat more severe. Attackers exploiting the Access:7 vulnerabilities could obtain sensitive information, shut down the Axeda agent, or even control and run commands on a device. Bad actors could modify patients’ records and test results. PTC has released patches for the affected older versions (below 6.9.3) of the Axeda agent. The company also favors the ThingWorx platform over Axeda now; however, many customers continue to use Axeda.
Vulnerabilities in Infusion Pumps
Separately, Palo Alto Network’s Unit 42 threat intelligence team released a report regarding security flaws impacting infusion pumps. They examined more than 200,000 pumps used in hospitals and other healthcare organizations with Palo Alto’s IoT Security for Healthcare. 75% of these infusion pumps were discovered to be “at heightened risk of being compromised by attackers.” More than half were susceptible to two vulnerabilities disclosed in 2019, one rated critical and one high.
Infusion pumps administer fluids like medications and nutrients into a patient’s body in controlled amounts. Healthcare organizations use them widely, but many of these IoT connected devices are older and unable to receive relevant security updates. Because of this, attackers could access sensitive information or cause a device to stop responding. Malicious actors exploiting these vulnerabilities could severely impact patient care and operations at hospitals and clinics.
Healthcare organizations must remain diligent about security software and updates to devices and firmware. Cybercriminals constantly seek vulnerabilities and backdoors to exploit. Microwize offers healthcare cybersecurity services to help secure networks and devices.