These medical IoT devices carry the biggest security risks

Unpatched and running on operating systems that are no longer supported, these connected healthcare devices carry significant security risks for a sector that's already a top target for cyber criminals.
Written by Eileen Yu, Senior Contributing Editor
medical iot concept
Image: Getty Images/metamorworks

Connected medical devices still operate on unsupported operating systems and remain unpatched, even as cyberattacks continue to grow in the highly targeted healthcare sector.  

Take the example of nurse call systems, which allow patients to communicate with nurses should they require assistance. Security specialist Armis, which monitors more than three billion assets worldwide, reports that 48% of nurse call systems have unpatched common vulnerabilities and exposures (CVEs). Just over a third (39%) are critical severity CVEs, with Armis gaining this insight by analysing connected medical and IoT devices on its platform. 

Also: These experts are racing to protect AI from hackers

This level of vulnerability makes nurse call systems the "riskiest" medical Internet of Things (IoT) devices, according to Armis. High-risk systems have the biggest percentage of unpatched critical severity CVEs among all connected medical and IoT devices that Armis analyses.

Infusion pumps, which are used to mechanically or electrically provide fluids to patients, are the second riskiest IoT medical devices, with almost a third (30%) operating with unpatched CVEs. In addition, 27% of these devices carry unpatched critical severity CVEs.

Also: What is phishing? Everything you need to know

When it comes to medication dispensing systems, 86% have unpatched CVEs, of which 4% are critical severity. Just under a third (32%) of these devices operate on Microsoft Windows versions that are no longer supported. In total, Armis says 19% of medical IoT units run on unsupported OS versions.

Over half (59%) of IP cameras monitored by Armis in clinical environments have unpatched CVEs, of which 56% are critical severity. Printers are the next riskiest IoT device within clinical sites, with 37% carrying unpatched CVEs, 30% of which are critical severity. Voice over IP devices place third, with 53% having unpatched CVEs, although just 2% are critical severity.

"Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface," said Mohammad Waqas, Armis' principal solutions architect for healthcare. 

"Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualised monitoring is a key element to ensuring patient safety."

Also: These are the devices most at risk of getting hacked

The prevalence of unprotected devices comes as the healthcare sector continues to face fresh cybersecurity risks. The sector saw a 31% climb in threat activities between January and March this year compared to the previous quarter, according to Armis, citing figures from its intelligence platform. 

Other evidence suggests the healthcare sector is increasingly reliant on connected devices. A 2022 Juniper Research study estimated that smart hospitals worldwide would deploy 7.4 million medical IoT devices by 2026, with each hospital running more than 3,850 connected devices on average. China was projected to lead the pack, with its smart hospitals accounting for 41% of IoT devices by 2026, followed by the US at 21%. 

With healthcare one of the top targets for ransomware attacks, countries such as Singapore have been focusing efforts on bolstering the cyber resilience of their critical information infrastructure industries. 

Last October, Singapore expanded its cybersecurity labelling program to include medical devices, specifically, those that handle sensitive data and which can communicate with other systems. The program comprises four levels of rating, with each level indicating an additional level of product testing and assessment. Level one labelling, for example, shows a medical device that has achieved baseline regulatory requirements, which are currently aligned with registration requirements for medical devices approved by the Health Science Authority. 

Also: Glitch in system upgrade identified as cause of delays at Singapore immigration

Singapore's Cyber Security Agency (CSA) has also warned that critical IoT devices are potential targets in ransomware attacks, with cyber criminals recognising that the infection of these devices could lead to significant downtime costs and damage. "Should organisations in critical, time-sensitive industries such as healthcare, be infected with ransomware, there could be serious, life-threatening consequences," CSA said. 

Editorial standards