Discovered Vulnerabilities per Year
Vulnerabilities, exploited or not, are shown according to the year in which they were discovered. Until 2016, all information comes from scientific papers, journal articles, or security bulletins from directly affected companies. Since 2016 to present, much of the data is sourced from USA Cybersecurity and Infrastructure Security Agency (CISA).
Discovered Vulnerabilities per Body Area District
Vulnerabilities, whether exploited or not, are classified according to the device’s targeted tissue, which does not always correspond to the area where it is applied. Instead, for devices that measure more general parameters like blood pressure and heart rate, the placement body district is indicated.
External: On-site equipment (i.e., MRI, PET)
Arm: Devices placed on the arm to measure blood parameters
Stomach: Devices delivering drugs to the stomach
Variable: Infusion Pumps
Feet: Smart Medical Shoes
Head: Brain Computer Interfaces, EEG, Neurostimulators
Heart: Devices directly applied on the heart (i.e., Pacemakers, Defibrillators)
Wrist: Devices placed on the wrist to measure body parameters (i.e., Oximeters, Smartwatch)
Number of Devices with a given CVSS
Diagram shows the total number of devices with an assigned Common Vulnerability Scoring System (CVSS). The CVSS is not a measure of risk, but a qualitatively measure of the vulnerability severity. CVSS v3.x standard was considered for almost all of the data, and CVSS v2.x for the others (in cases CVSS v3.x was not provided). For medical devices affected by more than one vulnerability, each of which with its own CVSS, the one with the highest score was reported.
Each bin of the bar plot is 1 unit large with the integer in the interval midpoint, except for those with a CVSS equal to 10, where the range is from 9.5 to 10, both included. For example, devices considered to have a CVSS equals to 5 are all those that have a CVSS between 4.5 (included) and 5.5 (not included).
Further information about CVSS vulnerability metrics, CVSS calculators, and the vulnerability severity ratings on National Institute of Standards and Technology (NIST) site.
Number of Devices per Type of Attack
The chart summarize the most frequent attacks to which medical devices are vulnerable. Each device could be vulnerable to more than one attack. The most common is the Unauthorized Access, which can be due to a cyber vulnerability (hard-coded credentials or lack of encryption) or physical vulnerability (physical access to the device via USB drives or other devices). On the other hand, the less probable is the EMI Signal Injection attack, given the difficulty of executing and identifying it. Such an attack generally requires being in close proximity to the victim device and is undetectable because it is often executed on devices that do not provide log-files.
The definition of each attack is in the Glossary page.
Types of Vulnerabilities
When describing the vulnerability of a medical device, it is important to catalog it as cyber or physical. Cyber vulnerabilities are the most widely known and therefore the ones best defended against. Once a vulnerability is identified, it generally takes a short time before a patch is released to fix the problem in the device software. On the other hand, physical vulnerabilities are generally difficult to exploit, but at the same time almost impossible to detect. For this reason, there are considerably fewer of them than cyber vulnerabilities, but they are also more insidious. Let’s imagine visiting a patient for a cardiac arrhythmia which is not due to a physiological problem, but to an induced malfunction of the pacemaker sensors.
Definitions of cyber and physical vulnerabilities are in Glossary and in Literature pages. For an in-depth analysis of the dangerousness of physical attacks: “Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors” and “Taxonomy and Challenges of Out-of-Band Signal Injection Attacks and Defenses”.
Physical: Vulnerabilities related to: (i) the possibility of exploiting electromagnetic/acoustic waves to induce device malfunction or reconstruct its behaviour; (ii) unauthorized physical access to an hospital restricted area or to a device (e.g., via USB).
Cyber: Vulnerabilities exploitable remotely or inherent in the software of the device or in the application with which it interfaces.
Types of devices with discovered vulnerabilities
Chart shows devices for which most vulnerabilities have been found so far. A non-negligible number are smartwatches, usually due to vulnerabilities in smartphone applications. Although these are not physically harmful for the wearer, they can expose several sensitive data. Thanks to the fast detection and notification of any attacks/vulnerabilities by hospitals, healthcare or manufacturing companies, many vulnerabilities are related to on-site devices.
Smartwatches: Not properly medical devices, but they can reliably measure body parameters such as blood pressure and hearth rate.
Wearable: Devices placed on the body to measure body parameters.
Implantable: Devices placed inside the human body to measure body parameters and/or to have therapeutic effects (e.g., pacemakers).
On-site medical equipment: Devices typically used in hospitals that can be accessed physically or through the hospital network.
Number of Devices per Risk Class
The first step in compliance with the Medical Device Directive 93/42/EC is product classification.
Medical devices in Europe are grouped, according to their complexity and potential risk to the patient, into four classes: I, IIa, IIb, III. Classification depends on the intended use indicated by the manufacturer. We have associated each device with the risk class with reference to the classification rules in Regulation 2017/745 of the European Parliament and of the Council of April 5, 2017. It can be seen that most of the devices are of medium and high risk class.
Class I: low-risk devices. These can be products for external patient aid, such as crutches or wheelchairs, but also products such as stethoscopes. Devices that fall into this class do not require the involvement of a Notified Body (apart from devices that are sterile and/or have a measuring function) and must be registered with the appropriate local authorities;
Classes IIa and IIb: medium-risk devices, many electromedical devices fall into these classes including diagnostic equipment, such as glucose meters, blood pressure monitors, and x-ray machines.;
Class III: high-risk devices, such as cardiovascular catheters or pacemakers. They require a conformity assessment by a notified body and the highest level of clinical data demonstrating safety and performance.