Nearly one in five connected IoMT and IoT (Internet of Things) devices in hospitals run on unsupported operating systems, putting them at greater risk for hacking.
Best practices for managing the cybersecurity risks of connected devices
May 05, 2023
by John R. Fischer, Senior Reporter
In 2026, smart hospitals will be relying on more than 7 million IoMT (Internet of Medical Things) devices, doubling the amount they had in 2021, and putting them at greater risk for potential cyberattacks.
In a recent survey, cybersecurity firm Armis found that nearly one in five connected IoMT and IoT (Internet of Things) devices in hospitals run on unsupported operating systems, and identified devices with critical severity unpatched common vulnerabilities and exposures (CVEs) that made them the most at risk.
The key to mitigating risk is prioritizing remediation efforts based not only on the severity of vulnerability, but also the potential impact on quality of care, as well as increasing account asset visibility and cross-team collaborations, Mohammad Waqas, Armis' principal solutions architect for healthcare, told HCB News.
"Uncovering vulnerabilities is inevitable," he said. "The speed of response and remediation is where we have the most potential to minimize risk."
Putting safety first
For the survey, Armis assessed data from its own proprietary security platform, which tracks over three billion assets, and found nurse call systems to be more at risk than any other IoMT device, with 39% having critical severity unpatched CVEs and 48% having unpatched CVEs. Behind them are infusion pumps, at 27% and 30%; and medication dispensing systems, at 4% and 86%, with 32% also running on unsupported Windows versions.
Internet protocol (IP) cameras were the riskiest of all IoT devices, at 56% and 59%; followed by printers, at 30% and 37%; and VolP devices, at 2% and 53%.
The complex, interconnected nature of these devices allows hackers to potentially breach multiple systems, including those tracking patient records, and tamper with devices, posing harm to patients, or hold information for ransom.
"Identity and access management should be a top priority for any healthcare organization. This helps with HIPAA compliance requirements and makes it more difficult for adversaries to gain privileged access to sensitive data," Allie Roblee, cyber intelligence analyst at Resilience, told HCB News.
Ensuring less secure connected devices are separate from others is also important for limiting the spread of any potential breach. "Since patching is complex for these systems and sometimes not an option, they should also be considered 'untrusted' devices and limited from connecting or communicating with systems holding patient data," said Roblee.
Building transparency through collaboration
Recently, the FDA said that manufacturers of any device using software and connected to the internet must continue to update and patch their solutions, including by issuing a software bill of materials and creating a plan for identifying and addressing “postmarket cybersecurity vulnerabilities."
This will require manufacturers to work more closely with clinicians, hospital IT teams and executives. Breaking down silos between biomedical engineering and cybersecurity teams also provides insights on the impact these vulnerabilities can have on care, according to Waqas, who says that bringing together both teams to form solutions has been proven to reduce these risks.
"At the industry level, we need to improve visibility when manufacturing, procuring, and operationalizing these devices. At the organizational level, creating a comprehensive asset inventory is a critical step of any cybersecurity program framework, such as the NIST cybersecurity framework, or special publications such as 800-66 for medical and IoMT devices," he said.
According to cybersecurity firm Sophos' "The State of Ransomware in Healthcare 2022" report, 66% of ransomware attacks were directed at healthcare systems and hospitals in 2021, with providers needing an average of one week and $1.85 million to recover.
As IoT and IoMT devices increase in number and uses, Waqas says the amount of attack surface and opportunities for breaches are also going up and will continue to unless providers make an effort to understand and address the problems that are preventing them from addressing the vulnerabilities of their medical devices and mitigating the risks they pose to patients and critical care services.
In a recent survey, cybersecurity firm Armis found that nearly one in five connected IoMT and IoT (Internet of Things) devices in hospitals run on unsupported operating systems, and identified devices with critical severity unpatched common vulnerabilities and exposures (CVEs) that made them the most at risk.
The key to mitigating risk is prioritizing remediation efforts based not only on the severity of vulnerability, but also the potential impact on quality of care, as well as increasing account asset visibility and cross-team collaborations, Mohammad Waqas, Armis' principal solutions architect for healthcare, told HCB News.
"Uncovering vulnerabilities is inevitable," he said. "The speed of response and remediation is where we have the most potential to minimize risk."
Putting safety first
For the survey, Armis assessed data from its own proprietary security platform, which tracks over three billion assets, and found nurse call systems to be more at risk than any other IoMT device, with 39% having critical severity unpatched CVEs and 48% having unpatched CVEs. Behind them are infusion pumps, at 27% and 30%; and medication dispensing systems, at 4% and 86%, with 32% also running on unsupported Windows versions.
Internet protocol (IP) cameras were the riskiest of all IoT devices, at 56% and 59%; followed by printers, at 30% and 37%; and VolP devices, at 2% and 53%.
The complex, interconnected nature of these devices allows hackers to potentially breach multiple systems, including those tracking patient records, and tamper with devices, posing harm to patients, or hold information for ransom.
"Identity and access management should be a top priority for any healthcare organization. This helps with HIPAA compliance requirements and makes it more difficult for adversaries to gain privileged access to sensitive data," Allie Roblee, cyber intelligence analyst at Resilience, told HCB News.
Ensuring less secure connected devices are separate from others is also important for limiting the spread of any potential breach. "Since patching is complex for these systems and sometimes not an option, they should also be considered 'untrusted' devices and limited from connecting or communicating with systems holding patient data," said Roblee.
Building transparency through collaboration
Recently, the FDA said that manufacturers of any device using software and connected to the internet must continue to update and patch their solutions, including by issuing a software bill of materials and creating a plan for identifying and addressing “postmarket cybersecurity vulnerabilities."
This will require manufacturers to work more closely with clinicians, hospital IT teams and executives. Breaking down silos between biomedical engineering and cybersecurity teams also provides insights on the impact these vulnerabilities can have on care, according to Waqas, who says that bringing together both teams to form solutions has been proven to reduce these risks.
"At the industry level, we need to improve visibility when manufacturing, procuring, and operationalizing these devices. At the organizational level, creating a comprehensive asset inventory is a critical step of any cybersecurity program framework, such as the NIST cybersecurity framework, or special publications such as 800-66 for medical and IoMT devices," he said.
According to cybersecurity firm Sophos' "The State of Ransomware in Healthcare 2022" report, 66% of ransomware attacks were directed at healthcare systems and hospitals in 2021, with providers needing an average of one week and $1.85 million to recover.
As IoT and IoMT devices increase in number and uses, Waqas says the amount of attack surface and opportunities for breaches are also going up and will continue to unless providers make an effort to understand and address the problems that are preventing them from addressing the vulnerabilities of their medical devices and mitigating the risks they pose to patients and critical care services.