Majority of internet-connected devices in hospitals are vulnerable

Cristina De Luca -

January 25, 2022

For decades, patient care has seen improvements resulting from the data, insights, and timeliness provided by connected devices. However, as the number of these devices has grown, so have the threats, vulnerabilities.

Today, more than half of Internet-connected devices used in hospitals have a vulnerability that could put a device’s patient safety, confidential data or usability at risk, according to a new report from Cynerio that analysed data from more than 10 million IoT and IoMT devices in more than 300 hospitals and healthcare facilities around the world.

The infusion pump is the most common type of connected device in hospitals. They can remotely connect to electronic medical records, extract the correct dosage of a drug or other fluid and dispense it to the patient. So they are also the devices most likely to be exploited for vulnerabilities by hackers, according to the report – 73 percent had a vulnerability. 

Source: Cynerio

Experts fear that hacks on devices like these, directly connected to patients, could be used to harm them directly. Theoretically, someone could access these systems and alter the dosage of a medication, for example.

It has never been clearer that digital security and patient safety are closely intertwined, and that protecting the devices that provide the care that patients depend on is ultimately essential to safeguarding their health, safety, and well-being.

Healthcare organizations are now a major target for hackers, and while a direct attack on Internet-connected medical devices doesn’t seem to have happened, experts believe it’s a definite possibility. The most active threat is from groups hacking into hospital systems via a vulnerable device and locking down the hospital’s digital networks – leaving doctors and nurses unable to access medical records, devices, and other digital tools – and demanding a ransom to unlock them. These attacks have increased in recent years and slow down hospital functions to the extent that they can harm patients.

Nearly 80% of healthcare IoT devices work around the clock. With little downtime, it is difficult for hospital cybersecurity teams to scan them for risks and attacks, apply the latest patches, and perform segmentation to protect other devices on the network.

In addition, most of these devices are controlled by equipment running Linux operating system and dozens of other proprietary operating systems. This makes most IT security, designed overwhelmingly for Windows machines, inadequate for IoMT cybersecurity.

Cynerio’s report notes that most vulnerabilities in medical devices are easy to fix. They are related to the use of weak or default passwords and disregarded recall notices by hospitals. Many healthcare organizations simply do not have the resources or staff to keep systems up to date and may not know if there is an update or alert on one of their devices.

Source: Cynerio

Vulnerabilities widely reported in the last 12 months, such as URGENT/11 or Ripple20, are the most common risks faced by these devices. Of course, hospitals should protect against them. But the report warns that while the many articles written about these vulnerabilities have been great for creating general awareness about IoT security in healthcare, they represent only a small part of the risk that most healthcare IoT devices face.

Source: Cynerio

Hospitals often underestimate the importance of their underlying network and infrastructure when deploying connected health devices and services. A large, unsegmented, and unmonitored network presents a large attack surface that can give attackers free access to move laterally in search of critical data and resources.

The right amount of segmentation is a balance that will not harm network connectivity but also not leave it open enough to create security risks. Segmentation needs to be designed according to the potential threat vectors as well as the potential vulnerabilities that can be exploited and the clinical context of each device in the segment.

Also worth noting are the two main forms of segmentation – east-west and north-south. East-west segmentation blocks all essential devices and communication across the LAN, while north-south segmentation blocks all non-essential communications to prevent malicious entities within the network from exfiltrating data. Of course, devices can have more than one risk factor present at the same time and require multiple segmentation actions.

Monitoring in turn already takes place in hospitals: IT components such as storage systems, networks, or servers are naturally monitored. Modern medical devices and systems also offer native options for monitoring functions. What is missing is a central view of the big picture and few monitoring solutions can provide it. 

Often, the digital infrastructure of hospitals has become fragmented and complex due to silos, which prevent hospitals from functioning in a coordinated and structured manner. This invariably leads to the less efficient delivery of health care services or even serious consequences for patients.

While hospitals are at different points in the digital transformation journey, the level of hospital efficiency and patient care depends on the ability of a hospital’s digital health infrastructure to adapt and upgrade to new technologies, machines, devices, and medical systems.

Thus, the IT department of a hospital plays a key role in creating a digital infrastructure to overcome the digital and physical silos that exist from the beginning.

This unified monitoring approach provides hospital administrators with a consolidated view of the physical and virtual IT infrastructure and supports staff with standard tasks that can be performed more efficiently using technology. 

This can reduce silos leading to a more efficient infrastructure that can impact the overall structure of the institution. Having a comprehensive view can also help ensure that the privacy of patient data is securely maintained without compromising operational efficiency.