by John R. Fischer
, Senior Reporter | January 28, 2022
Critical vulnerabilities put over half of medical devices connected to hospital networks at risk of being breached by malicious viruses and software that could potentially compromise patient information.
In an analysis of 10 million devices at more than 300 hospitals and medical facilities worldwide, Cynerio identified 53% of internet-connected medical devices with a known vulnerability and one-third of bedside devices with a critical risk.
It warns in its 2022 State of Healthcare IoT Device Security report that these issues could enable hackers to access devices and potentially impact service availability, steal and expose patient data and even pose harm to patient safety, according to ZDNet
"Hospitals and health systems don't need more data — they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it's time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death,” said Cynerio’s CTO Daniel Brodie in a statement.
Infusion pumps were the most common device to have some type of vulnerability, with 73% showing such issues. This is very concerning, as IV pumps make up 38% of a hospital’s IoT and hacking into them allows hackers to directly affect patients, since they are connected to the pumps.
Other internet-connected devices that posed risks were patient monitors and ultrasound, with both devices among the top 10 listed in terms of numbers of vulnerabilities, reported The Verge
Outdated programming such as older Windows Versions were found on most medical IoT devices, specifically versions that were older than Windows 10. It is outdated systems and not enough cybersecurity protections that have made healthcare a prime target of cybercriminals, according to Cynerio. Default passwords are also a problem and were found on about 21% of devices in the analysis.
In addition to addressing these issues directly, Cynerio recommends that healthcare organizations segment their networks, as doing so addresses more than 90% of critical risks in medical devices and reduces ransomware attacks. It adds that healthcare organizations do not have the resources or personnel to keep systems updated and that they may not even know if there is an update for one of their devices or a recall.