“I think this is reaching a level of criticality that is getting the attention of CEOs and board rooms.”Ed Gaudet, CEO and founder, Censinet – Interview with The Verge
Most of the current conversations around cybersecurity in health care have centered around ransomware and its impact on health system operations and finances. I’ve written on the topic earlier and continue to follow developments in that area. But an area that hasn’t received much attention is the risks, threats, and security issues related to IoT and related devices within healthcare environments.
An excellent new report published by healthcare cybersecurity company Cynerio reveals that over half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data, or the usability of a device at risk. The report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform.
The data are sobering. The most common type of internet-connected device in hospitals was an infusion pump. Infusion pumps were also the devices most likely to have vulnerabilities that hackers could exploit, and the report found — 73 percent had a vulnerability. Experts worry that hacks into devices like these, which are directly connected to patients, could be used to hurt or threaten to hurt people directly. Someone could theoretically access those systems and change the dosage of a medication, for example.
Other common internet-connected devices are patient monitors, which can track things like heart rate and breathing rate, and ultrasounds. Those types of devices were in the top 10 list in terms of numbers of vulnerabilities.
The major challenge associated with these devices is that unlike the IT world, where Microsoft Windows dominates the desktop, healthcare IoT is all over the map. In terms of security, this makes solutions like Endpoint Detection and Response (EDR) agents almost impossible to deploy. There is no way for those solutions to address the wide variety of operating systems that power devices created by different manufacturers for different medical purposes.
As you can see in the graphic above, nearly 50% of medical devices run on Linux, an open-source platform renowned for its stability and possibilities for customization. And for those devices that run on the Windows operating system, most are running on older versions of Windows, which is a problem. Most malware and ransomware are designed to attack Windows devices and will more easily threaten devices running on that operating system.
So, what’s necessary to reduce the risk? – Cynerio’s report notes that most of the vulnerabilities in medical devices are easily fixable: they’re due to weak or default passwords or a recall notice that the organization hasn’t acted on. Devices often come with default administrative passwords (like Daemon or Admin) and settings that remain unchanged and are accessible in device manuals that attackers can easily find online. Many healthcare organizations don’t have the resources or personnel to keep systems up to date and might not know if there’s an update or alert concerning one of their devices. Those organizations would benefit from engaging a company specializing in IoT security like Cynerio to help identify their specific issues and assist with mitigation. The dollars spent in that effort are small compared to the financial and operational pain the organization will experience if those vulnerable devices are breached.