Over 50% of internet-connected medical devices in hospitals are vulnerable to cyberattacks
Over 50% of internet-connected medical devices vulnerable to cyberattacks
January 28, 2022
by John R. Fischer, Senior Reporter
Critical vulnerabilities put over half of medical devices connected to hospital networks at risk of being breached by malicious viruses and software that could potentially compromise patient information.
In an analysis of 10 million devices at more than 300 hospitals and medical facilities worldwide, Cynerio identified 53% of internet-connected medical devices with a known vulnerability and one-third of bedside devices with a critical risk.
It warns in its 2022 State of Healthcare IoT Device Security report that these issues could enable hackers to access devices and potentially impact service availability, steal and expose patient data and even pose harm to patient safety, according to ZDNet.
"Hospitals and health systems don't need more data — they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it's time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death,” said Cynerio’s CTO Daniel Brodie in a statement.
Infusion pumps were the most common device to have some type of vulnerability, with 73% showing such issues. This is very concerning, as IV pumps make up 38% of a hospital’s IoT and hacking into them allows hackers to directly affect patients, since they are connected to the pumps.
Other internet-connected devices that posed risks were patient monitors and ultrasound, with both devices among the top 10 listed in terms of numbers of vulnerabilities, reported The Verge.
Outdated programming such as older Windows Versions were found on most medical IoT devices, specifically versions that were older than Windows 10. It is outdated systems and not enough cybersecurity protections that have made healthcare a prime target of cybercriminals, according to Cynerio. Default passwords are also a problem and were found on about 21% of devices in the analysis.
In addition to addressing these issues directly, Cynerio recommends that healthcare organizations segment their networks, as doing so addresses more than 90% of critical risks in medical devices and reduces ransomware attacks. It adds that healthcare organizations do not have the resources or personnel to keep systems updated and that they may not even know if there is an update for one of their devices or a recall.
In the past 18 months, 82% of healthcare providers have experienced some form of an IoT cyberattack. Of these, 34% were hit with ransomware, according to a paper by data security firm Medigate and cloud-based protection provider CrowdStrike.
An attack last month on Maryland’s Department of Health left it and local hospital partners struggling to recover for at least six weeks. One hard blow was the inability of the department to release COVID-19 case rates amid the highly contagious Omicron surge, and the number of COVID-19 deaths that went unreported in the state for most of December, according to ZDNet.
Back in September, a baby born with severe brain injury died due to inadequate care at a hospital in Alabama. The hospital blamed the poor care on a ransomware attack it was struggling to contain. The child’s mother sued on the grounds that the hospital failed to tell her that its computers were down due to a cyberattack, and as a result, gave her poor care when she gave birth to her daughter. The filing is the first credible public claim of a death related, in part, to hackers who remotely shut down hospital computers in an extortion attempt, reported NBC News.
A German woman in September 2020 was initially reported to have died after being rerouted to a different emergency room because a ransomware attack hit the closest hospital, according to Wired. Government authorities later ruled that there was not sufficient evidence to show that the attack and her death were related.
In an analysis of 10 million devices at more than 300 hospitals and medical facilities worldwide, Cynerio identified 53% of internet-connected medical devices with a known vulnerability and one-third of bedside devices with a critical risk.
It warns in its 2022 State of Healthcare IoT Device Security report that these issues could enable hackers to access devices and potentially impact service availability, steal and expose patient data and even pose harm to patient safety, according to ZDNet.
"Hospitals and health systems don't need more data — they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it's time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death,” said Cynerio’s CTO Daniel Brodie in a statement.
Infusion pumps were the most common device to have some type of vulnerability, with 73% showing such issues. This is very concerning, as IV pumps make up 38% of a hospital’s IoT and hacking into them allows hackers to directly affect patients, since they are connected to the pumps.
Other internet-connected devices that posed risks were patient monitors and ultrasound, with both devices among the top 10 listed in terms of numbers of vulnerabilities, reported The Verge.
Outdated programming such as older Windows Versions were found on most medical IoT devices, specifically versions that were older than Windows 10. It is outdated systems and not enough cybersecurity protections that have made healthcare a prime target of cybercriminals, according to Cynerio. Default passwords are also a problem and were found on about 21% of devices in the analysis.
In addition to addressing these issues directly, Cynerio recommends that healthcare organizations segment their networks, as doing so addresses more than 90% of critical risks in medical devices and reduces ransomware attacks. It adds that healthcare organizations do not have the resources or personnel to keep systems updated and that they may not even know if there is an update for one of their devices or a recall.
In the past 18 months, 82% of healthcare providers have experienced some form of an IoT cyberattack. Of these, 34% were hit with ransomware, according to a paper by data security firm Medigate and cloud-based protection provider CrowdStrike.
An attack last month on Maryland’s Department of Health left it and local hospital partners struggling to recover for at least six weeks. One hard blow was the inability of the department to release COVID-19 case rates amid the highly contagious Omicron surge, and the number of COVID-19 deaths that went unreported in the state for most of December, according to ZDNet.
Back in September, a baby born with severe brain injury died due to inadequate care at a hospital in Alabama. The hospital blamed the poor care on a ransomware attack it was struggling to contain. The child’s mother sued on the grounds that the hospital failed to tell her that its computers were down due to a cyberattack, and as a result, gave her poor care when she gave birth to her daughter. The filing is the first credible public claim of a death related, in part, to hackers who remotely shut down hospital computers in an extortion attempt, reported NBC News.
A German woman in September 2020 was initially reported to have died after being rerouted to a different emergency room because a ransomware attack hit the closest hospital, according to Wired. Government authorities later ruled that there was not sufficient evidence to show that the attack and her death were related.