Getting to Know the Clinical Vulnerability Landscape

Threats against the clinical cyber environment come in many flavors. These threats range from automated malware and non-technical insiders to highly resourced cybercriminals and nation-state / Advanced Persistent Threat (APT) attackers.  But even though the attackers and their motivations vary widely, all clinical threats take advantage of the same attack surface. Here’s what you need to know about the different threats facing the clinical vulnerability landscape:

Medical Device Design Flaws

The FDA began issuing strict security guidance around the design of medical devices in 2014. This means a significant proportion of the devices in the modern clinical ecosystem were designed with little or no security discipline, including the common tactic of hard-coding administrative and system level credentials, the absence of firewall rules for common protocols, and the lack of system hardening.

Bad Authentication Practices

Beyond the widespread use of default and/or hardcoded credentials, most medical devices have limited resilience within their authentication workflow. Devices often have a “break glass” functionality that allows access without full authentication, providing an additional attack surface if they are not built securely. Additionally, most devices can easily be brute-forced because common controls like account lockouts are not typically designed into the products.

Exploitation of Known Vulnerabilities

Because most medical devices are built on COTS operating systems, like Linux and Windows, and use common open-source tools like the Apache web server, vulnerabilities in many common products can trickle down to medical devices. Vulnerabilities like Heartbleed, Shellshock, Bluekeep, and Zerologon have all affected numerous clinical devices. Because of the difficulty of patching those devices, vulnerabilities that are solved in other products often linger for significant periods of time in clinical technology.

Specific Medical Device Vulnerabilities

Over the past decade, a community of researchers have dedicated themselves to discovering new vulnerabilities in medical devices. Vulnerabilities in widely used products have been published and spoken about at security conferences and written about in security trade journals. These vulnerabilities include:

  • “Dark” Clinical Technology Vulnerabilities: Clinical technology vendors often issue patches and report on vulnerabilities in the products they are reported against. A vulnerability that affects one part of a vendors’ product line can often be found unpatched in other parts of their product line. Attackers who are focused on clinical technologies know to explore more widely for exploitable conditions.
  • True Zero-Day Vulnerabilities: Because of the wide prevalence of known vulnerabilities, true zero-day vulnerabilities are not usually required to compromise modern clinical technologies.

Knowing the vulnerabilities at play in any clinical environment can help reduce the risk, and mitigate the cost, of your next attack.


Check out the In Scope Podcast:


Clinical Technologies: What Can You Do?

Scope Security White Paper Examines How to Secure Clinical Technologies


Mike Murray is the founder and CEO of Scope Security, the healthcare security company. At Scope, Murray builds on his nearly two decades of experience leading teams of highly skilled security professionals to solve critical security problems in healthcare.

Throughout his career, Murray has helped discover some of the world’s most notorious breaches and nation state threats, and is sought out by industry, media, and security teams for insights on today’s most pressing issues in cybersecurity.