vectorfusionart - stock.adobe.co

Weak Connected Medical Device Security Increases Cyberattack Threats

A new survey found that healthcare organizations with more connected medical devices have a 24 percent greater risk for cyberattacks, underscoring a need for more medical device security.

Medical device security continues to be an issue for healthcare organizations, especially as the threat of cyberattacks increases in the industry.

The medical internet of things (IoT) has made healthcare more convenient, efficient, and patient-focused but it is also a weak link to data security. Many connected devices with IoT sensors, such as glucose monitors, insulin pumps, and defibrillators, have inadequate security defense that could pose risks to healthcare facilities and patients.

Capterra’s 2022 Medical IoT Survey containing over 150 respondents found that medical facilities with over 75 percent of connected medical devices have a 24 percent higher risk of cyberattack than practices with less than 50 percent of connected devices.

With the high adoption of connected medical devices, the threat of cyberattacks is more prevalent.

Overall, 40 percent of healthcare organizations have between 51 percent and 70 percent of their medical devices connected to the internet through Wi-Fi or hardwired.

“As a healthcare organization connects more medical devices to its network, its attack surface expands,” Zach Capers, the senior security analyst at Capterra, said in a press release. “Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it’s difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.”

Typically connected medical devices are developed with security as an afterthought, allowing attackers to have an easy entry point into the hospital network, Capterra researchers stated.

These cyberattacks also hold potential health data privacy risks. According to the survey findings, 48 percent of all healthcare cyber attacks impact patient care, and 67 percent effect the security of personal health information (PHI).

“It’s common for cyberattacks to cause downtime and impact productivity no matter the industry—but when they hit healthcare providers, downtime means inaccessible health data, malfunctioning devices, and delayed procedures,” Capers said. “In the worst case scenario, a cyberattack could even impact patient mortality, the subject of a pending lawsuit  that claims a hospital ransomware attack led to the death of a newborn, the first litigation of its kind.”

While the concerns around connected medical devices are significant, Capterra suggested that many healthcare organizations are not taking necessary preventive measures.

The survey found that 53 percent of health IT staff mark the cybersecurity threat level of connected medical devices. However, 57 percent need to take simple security steps, like changing the default username and password for each new connected medical device.

It is recommended that healthcare practices patch devices or update firmware immediately after a security threat are noted. Despite being recommended precaution measures, 68 percent are not updating connected devices when a patch is available.

“Medical IoT security requires proactive and ongoing vigilance,” Capers stated. “Healthcare practices should conduct routine vulnerability assessments before connecting medical devices to their IT network. They should also keep an up-to-date and accurate inventory of all connected devices plus associated software and firmware and use software to monitor these devices.”

The continuous challenges with securing and keeping track of medical devices have prompted federal offices to step in and take legislative action.

The introduction of medical device security legislation, such as the PATCH Act, signals a step forward in safeguarding patient data.

However, health experts believe more than these legislative actions might be needed to address the numerous concerns surrounding connected medical devices.

The PATCH Act aims to "amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes," the bill stated.

The legislation is a step forward, but healthcare organizations should continue to prioritize medical device security internally to mitigate risk.

Next Steps

Dig Deeper on Cybersecurity strategies