Under-addressed risks, threats, security issues related to healthcare IoT environments identified

Under-addressed risks, threats, security issues related to healthcare IoT environments identified

Data from Cynerio disclosed under-addressed risks, threats, and security issues related to the healthcare IoT environments, as critical medical device risks continue to leave hospitals and their patients vulnerable to cyber-attacks and data security issues. Based on information collected from millions of connected devices at hundreds of hospitals in the U.S. and around the world, Cynerio found that over 50 percent of connected devices have critical risks present in a typical hospital setup. 

Almost three-fourths of IV pumps have vulnerabilities that could threaten patient safety if exploited, while over 50 percent of devices in oncology, pharmacology, and laboratory departments run on old versions of Windows that are no longer updated, Cynerio said in its research report titled ‘The State of Healthcare IoT Device Security 2022,’ released Wednesday. 

Cynerio collects detailed information about a hospital’s connected device footprint – across IoT, IoMT (Internet of Medical Things), OT (operational technology), and other connected devices, through a patented connector that is typically placed on the core switch’s SPAN port. This allows Cynerio to passively monitor the network traffic of connected devices immediately without putting confidential data at risk. 

The research analysis is based on over 10 million IoT and IoMT devices collected from current Cynerio implementations at over 300 hospitals and other healthcare facilities in the U.S. and around the world, fully anonymized and analyzed by its data team. 

As Urgent11 and Ripple20 made headlines, the most common IoMT and IoT device risks were still connected to default passwords and settings that attackers can often obtain easily from manuals posted online, Cynerio identified. Vulnerabilities such as Urgent11 and Ripple20 were great for raising IoMT security awareness, but only affected about 10 percent of devices with attack vectors that are difficult for attackers to leverage successfully.

The report detected that the ubiquitous IV pump makes up 38 percent of a hospital’s typical healthcare IoT footprint, and a whopping 73 percent of those IV pumps have a vulnerability that would jeopardize patient safety, data confidentiality, or service availability if it was to be exploited by an adversary. 

53 percent of connected medical and other IoT devices in hospitals have a known critical vulnerability, Cynerio said in its report. If attacked, these will impact patient safety, service availability, or data confidentiality, either directly or as part of an attack’s collateral damage. A third of bedside healthcare IoT devices, the devices closest to patient care that patients most depend on for optimal health outcomes, have an identified critical risk.

Cynerio found that almost 80 percent of healthcare IoT devices get used monthly or more frequently, with little downtime for hospital security teams to analyze them for risks and attacks, apply the latest patches, and carry out segmentation to protect the devices on the network. The report also said that Linux is the operating system of about half of healthcare IoT devices, followed by dozens of mostly proprietary operating systems with small chunks of the overall footprint. 

The Cynerio report detected that medical devices running versions of Windows older than Windows 10 only make up a small part of a typical hospital’s healthcare IoT infrastructure, but they account for the majority of devices used by pharmacology, oncology, and laboratory devices, and make up a plurality of devices used by radiology, neurology, and surgery departments. This leaves patients connected to those devices vulnerable, since those older versions of Windows are already past their end of life, and replacing the machines they run on will still take several years in most cases.

Effective network segmentation addresses over 90 percent of critical device risks, making it hugely beneficial for reducing critical IoMT and IoT risk. Segmentation that takes medical workflows and patient care contexts into account address over 90 percent of the critical risks presented by connected devices in hospitals and can appropriately be used to mitigate and remediate most risks that connected devices present.

Cynerio said that the healthcare sector is more targeted for cyberattacks than any other industry, absorbing 100 to 200 percent more attacks than the runner-up. One of the reasons for this is due to the sensitive personal health information (PHI) they contain that is useful for perpetrating identity fraud. Medical records can fetch up to 50 times the amount that stolen credit cards get on the black market. 

“Unfortunately, hospitals often lack visibility into the critical risks and attacks targeting the mushrooming array of connected medical, enterprise IoT, and industrial OT devices that are becoming increasingly common at all levels of patient care, with disastrous consequences,” it added in its report.

Attackers are already leveraging any vulnerability they can find on hospital networks and using them to launch ransomware attacks and steal protected health data, Cynerio said. Even so, most IoT healthcare cybersecurity is still focused on providing a comprehensive inventory of connected devices, perhaps with some data related to their potential risk. As of now, they are not providing a way to fight back against threats, and protect against what cannot be remediated. Hospitals don’t need more data – they need to be able to act decisively when attacked, it added.

Identifying and addressing risk vectors that are already being leveraged in ‘the wild’ is a good first step towards implementing healthcare IoT security that will make a hospital’s connected device footprint more resilient. 

“We expect that there will be a broader acceptance of such mitigating controls for healthcare IoT as the footprint of these devices quintuples in the next decade. But hospitals also need solutions in place to respond to live attacks when “the wild” is suddenly at their doorstep,” Cynerio said in its report. Attackers motivated by money and indifferent to the care they may be adversely impacting will look for the lowest-hanging fruit to attack, and hospitals will need to speed up their time to attack detection as more hospitals increase their healthcare IoT security fortification, it added. 

As IT security moves to an XDR (Extended Detection and Response) model to automate incident identification and remediation, healthcare IoT will need to move towards an attack detection and response model as attacks continue to evolve and target the healthcare sector more than any other.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related