Health Care Under Cyberattack: Unprotected Medical IoT Devices Threaten Patient Care
Connected devices bring organizations more information and convenience, but they also increase an organization’s attack surface—and medical devices are no different. According to a survey released by reviews platform provider Capterra, as health care organizations connect more medical devices to their network, they are also attacked more often.
Capterra’s 2022 Medical IoT Survey was conducted in October 2022 and fielded responses from 151 U.S. respondents. Capterra said respondents were required to hold either information technology or security positions at health care organizations that also used internet-connected medical devices.
What did they find? According to the report, those health care organizations with more than 70% of internet-connected devices are 25% more likely to be attacked than those health care organizations with 50% or fewer internet-connected devices. The highly connected organizations also have a 54% greater risk of being attacked multiple times.
Also, nearly half (48%) of health care cyberattacks impacted patient care and two in three (67%) affected patient data. More than half (53%) of health care IT staff viewed the current cybersecurity threat landscape as high or extreme.
That anxiety exists for a good reason. While connected medical devices can make health care more convenient, these devices have been manufactured and shipped with security defects that can be exploited by attackers. These flaws include everything from foundational design mistakes to the same types of software flaws that have plagued business technology and e-commerce systems.
Additionally, in general, health care providers tend to have underfunded technology and security programs. The Capterra survey found 82% of respondents run connected medical devices on outdated Windows systems; 68% don’t update devices in a timely manner and 57% do not always change default usernames and passwords on newly received devices. These types of practices are going to directly lead to the types of ransomware attacks and data breaches we’ve come to see as commonplace within the broader landscape of industry.
Capterra provides a number of security practices that all health care providers using medical devices should consider:
- Change default credentials and ensure all operating systems are updated with the latest patches.
- Maintain an up-to-date, complete and accurate inventory of all connected medical devices and associated software or firmware, including information such as vendor, operating system, model number and dates of service.
- Conduct routine vulnerability assessments and scans before installing or reconnecting medical devices to your IT network.
- Use IoT management software to monitor and protect applicable connected medical devices.
- Deploy network segmentation strategies by creating virtual local area networks (VLANs) to separate different types of devices and data flows to reduce overall risk.
- Focus on developing strong network access policies and adopt zero-trust strategies when available.
The full Capterra report can be found here.