More than half of medical devices found to have critical vulnerabilities

A new report reveals what kind of medical devices are at most risk of security threats.
Written by Allison Murray, Staff Writer

More than half of the connected medical devices in hospitals pose security threats due to critical vulnerabilities that could potentially compromise patient care. 

According to the 2022 State of Healthcare IoT Device Security Report from Cynerio, 53% of internet-connected medical devices analyzed were found to have a known vulnerability, while one-third of bedside devices were identified to have a critical risk. Cynerio analyzed over 10 million medical devices at more than 300 global hospitals and medical facilities.   

The report warns that if these medical devices were to be accessed by hackers, it would impact service availability, data confidentiality, and even patient safety. 

"Healthcare is a top target for cyberattacks, and even with continued investments in cybersecurity, critical vulnerabilities remain in many of the medical devices hospitals rely on for patient care," said Daniel Brodie, the CTO, and co-founder, Cynerio, in a statement. "Hospitals and health systems don't need more data -- they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it's time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death." 

Out of all the medical devices, the report found that infusion (IV) pumps are the most common device with some type of vulnerability at 73%, especially since they make up 38% of a hospital's IoT. If attackers were to hack into an IV pump, it would directly affect the patients since the pumps are connected.

Some of the causes of these vulnerabilities result from relatively simple things, such as outdated programs. For example, the report found that most medical IoT devices were running older Windows versions, specifically, older than Windows 10. In addition, default passwords that are the same throughout an organization are common risks, especially since these weak default credentials secure about 21% of devices.

Healthcare has become the number one target for cybercriminals in recent years, primarily due to outdated systems and not enough cybersecurity protocols. More than 93% of healthcare organizations experienced some type of data breach between 2016-2019. 

Just last month, Maryland's Department of Health experienced a ransomware attack that affected the department for weeks. The attack left the department scrambling since it could not release COVID-19 case rates amid the Omicron surge, and the number of COVID-19 deaths were not reported in the state for almost all of December. 

Cynerio notes that the solution to mitigating these vulnerabilities to reduce ransomware attacks is network segmentation. By dividing up a hospital's network, more than 90% of critical risks in medical devices would be addressed.

Editorial standards