Healthcare security: IT pros warn of vulnerable HVAC systems, imaging machines, check-in kiosks and more

A survey of 400 IT pros found that most are concerned about the potential for data breaches and attacks leveraging medical equipment.

IT professionals have seen increased cyber risk over the last 12 months, according to a survey from cybersecurity company Armis.

Armis and Censuswide spoke with 400 IT professionals working in healthcare organizations across the US as well as 2,030 general respondents, finding that nearly 60% of IT respondents had dealt with a ransomware incident at their organization over the last year.  

According to Armis, there are about 430 million connected medical devices already in deployment worldwide, leaving many hospitals vulnerable to a variety of cybersecurity flaws in pneumatic tubes, technologies used in HVAC systems, B. Braun infusion pumps and more.

More than 32% of general respondents said they had been the victim of a healthcare cybersecurity attack and IT professionals said they are most worried about the kind of hospital data breaches that have become commonplace in recent years. 

More than half of IT respondents said data breaches leading to the leak of confidential patient data was a top concern. After data breaches, 23% of IT professionals were most concerned about attacks on hospital operations and 13% cited ransomware attacks as a concern. 

Building systems like HVACs and electrical devices were the most risky from a cybersecurity perspective, according to 54% of IT professionals, followed by imaging machines, medication dispensing equipment, check-in kiosks and vital sign monitoring equipment.

Thankfully, many IT respondents said their healthcare organization was taking steps to make cybersecurity a priority, with 86% saying their organization has hired a CISO and 95% saying their connected devices were up to date with the latest software. 

But 75% said recent attacks have been the driving force behind cybersecurity changes. More than half of IT workers said their healthcare organization is allocating more money as a way to secure systems. 

More than 62% of respondents said their healthcare organization has had to submit a cyber insurance claim. 

"Continuous visibility, context and alignment of security analytics to enterprise risk is the beacon to which we need to move to improve how we view device and asset management," said Oscar Miranda, CTO for healthcare at Armis. 

"It is critical for healthcare organizations to take the entire patient journey into consideration when thinking about security. A strong healthcare security strategy is multi-faceted and requires a holistic view."

From a potential patient perspective, nearly half of respondents said they would change hospitals if they knew their hospital had been hit with a ransomware attack and 37% were concerned about hospitals using online portals for patient information. 

The survey comes on the heels of a report from Forescout Technologies and Medigate about more than a dozen vulnerabilities in Siemens software affecting about 4,000 devices made by a range of vendors. First reported by CNN, the vulnerabilities affect versions of the Nucleus Real-time Operating System, which manages patient monitors, anesthesia tools, ultrasound machines and x-ray devices.