Philips study finds hospitals struggling to manage thousands of IoT devices

More than 13% of hospitals had no inventory and no way of knowing how many medical devices were deployed.
Written by Jonathan Greig, Contributor

Health technology company Philips and cybersecurity company CyberMDX released a new report this week covering cybersecurity spending and trends at mid-sized as well as large hospitals. 

Working with market research firm Ipsos, researchers surveyed 130 IT healthcare decision-makers to figure out how they were managing the thousands of medical devices that populate most hospitals today. 

The "Perspectives in Healthcare Security Report" split most of the study between large hospital systems with more than 1000 beds and mid-sized ones with less than 1000 beds. 

More than 31% of respondents worked at hospitals with less than 10 000 medical devices, while another 29% worked in hospital systems with less than 25 000. Almost 20% worked for hospital systems deploying under 50 000 devices. 

While most respondents had a good idea of how many devices were deployed in their hospital system, 15% of mid-sized hospitals and 13% of large hospitals had no way of knowing the number of devices on their network. 

Almost half of all respondents find their staffing for medical device and IoT security "inadequate," with most reporting a mean cybersecurity staff of around 12 or 13 people. 

Nearly 40% of all large hospital systems hire IoT security solutions to protect their devices, while 16% rely on the security provided by the medical device manufacturer. Some also turn to IT equipment vendors or 3rd party systems integrators. 

The numbers were almost identical for mid-sized hospitals, but a larger share relies on medical device manufacturers for security. 

Respondents listed NotPetya, MDHex, MDHexRay, Ryuk, Wannacry, Apache Struts, BlueKeep as the most common vulnerabilities. More than 51% of respondents said their hospitals "were not protected against the Bluekeep vulnerability, and that number increased 64% for WannaCry and 75% for NotPetya."

The mean annual IT spend is around $3 million to $3.5 million for both larger and mid-size hospital systems. A mean of about $300 000 is spent each year on medical devices and IoT cybersecurity. 

Nearly 80% of both mid-sized and large hospital systems measured cybersecurity ROI through logs of major attacks while also using "total critical vulnerabilities found" and "amount of time saved" as measures of success. 

Hospital cybersecurity has never been more crucial. An HHS report found that there have been at least 82 ransomware incidents worldwide this year, with 60% of them specifically targeting US hospital systems. 

Azi Cohen, CEO of CyberMDX, noted that hospitals now have to deal with patient safety, revenue loss and reputational damage when dealing with cyberattacks, which continue to increase in frequency. 

Almost half of the hospital executives surveyed said they dealt with a forced or proactive shutdown of their devices due to an outside attack in the last six months. 

Mid-sized hospital systems struggled mightily with downtime from medical devices. Large hospitals faced an average shutdown time of 6.2 hours and a loss of $21 500 per hour. But the numbers were far worse for mid-sized hospitals, whose IT directors reported an average of 10 hours of downtime and losses of $45 700 per hour. 

"No matter the size, hospitals need to know about their security vulnerabilities," said Maarten Bodlaender, head of cybersecurity services at Philips.

Editorial standards