Department of Electronic Engineering, University of Rome Tor Vergata, Rome, Italy.
CNIT, National Inter-University Consortium for Telecommunication, Parma, Italy.
Sci Rep. 2023 Nov 9;13(1):19509. doi: 10.1038/s41598-023-45927-1.
The growing integration of software within medical devices introduces the potential for cybersecurity threats. How significant is this risk, and to what extent are citizens currently exposed? In this study, we adopt a new data-gathering methodology using datasets provided in Open Contracting Data Standard (OCDS). This allowed us to perform an extensive analysis across over 36 countries within a 12-year range, searching 92 million public administration purchase records for potentially vulnerable medical devices. The findings reveal a concerning landscape wherein numerous medical devices purchased by national health services possessed or still possess 661 distinct vulnerabilities-more than half of which are deemed critical or high-severity. These vulnerabilities enable relatively simple attacks to impact data confidentiality, integrity, and accessibility severely. Even if patches were applied immediately upon discovery, these vulnerabilities would still result in roughly 3.2 years of system exposure from the time a device is purchased until a software vulnerability is announced, with all classes of devices affected, including high-risk IIB and III devices which accounts for 74% of instances. While a full analysis requires interactivity, this noninvasive methodology enables a large-scale study, emphasizing the need to move faster from the safety to the security of medical devices.
软件在医疗器械中的日益融合带来了网络安全威胁的可能性。这种风险有多大,公民目前受到多大程度的影响?在这项研究中,我们采用了一种新的数据收集方法,使用开放合同数据标准(OCDS)提供的数据集。这使我们能够在 12 年的时间跨度内对 36 个以上的国家进行广泛分析,在 9200 万条公共行政采购记录中搜索可能存在漏洞的医疗器械。研究结果显示出令人担忧的局面,许多国家卫生服务机构购买的医疗器械存在或仍然存在 661 个不同的漏洞——其中一半以上被认为是严重或高严重程度的漏洞。这些漏洞使得相对简单的攻击能够严重影响数据的保密性、完整性和可访问性。即使在发现后立即应用补丁,这些漏洞仍将导致设备从购买到宣布软件漏洞期间系统暴露约 3.2 年,所有类别的设备都受到影响,包括占 74%的高风险 IIB 和 III 类设备。虽然全面分析需要交互性,但这种非侵入性方法可以进行大规模研究,强调需要更快地从医疗器械的安全性转向安全性。
