The medical Internet of Things (IoT) is helping to improve efficiency and make healthcare more patient-centric; however, as hospitals increase the number of networked medical devices, the attack surface increases, giving malicious actors more opportunities to conduct attacks. Connected devices with IoT sensors such as insulin pumps, defibrillators, and glucose monitors often have vulnerabilities that can be exploited. Part of the problem is medical devices are developed to perform important functions, but security is an afterthought. The devices are often highly vulnerable to cyberattacks and can be difficult to secure. If a malicious actor exploits those vulnerabilities, they will be able to gain a foothold in the network, access sensitive patient data, and potentially make changes to the devices and endanger patients.
Capterra recently conducted a survey on 150 healthcare respondents in the United States to explore the current state of medical IoT security and determine whether medical practices with a high percentage of their medical devices connected to the Internet were experiencing more cyberattacks. 75% of surveyed healthcare practices said they have experienced a cyberattack and 41% said they have experienced multiple attacks. The survey confirmed that these attacks usually negatively affect patients. The survey also found 67% of healthcare cyberattacks involved patient data and violated patient privacy and almost half (48%) had an impact on patient care. Only 10% of cyberattacks had no impact on patient care or patient data.
The survey found that medical practices that had a higher percentage of networked or Internet-connected medical devices were experiencing more cyberattacks than medical practices with a low percentage of connected medical devices. 83% of medical practices that had 70% or more of their medical devices connected to the Internet had experienced one or more cyberattacks, compared to 74% that had 51%-70% of connected devices, and 67% that had 50% or fewer of their devices connected to the Internet.
Medical practices that have more than 70% of their medical devices connected to the network were 24% more likely to experience a cyberattack than practices that had just 50% or fewer connected devices and were 52% more likely to experience multiple cyberattacks. 40% of surveyed medical practices said they had between 51% and 70% of their medical devices connected to the Internet and 34% have more than 70% of their devices connected to the Internet. Only 26% of medical practices said half of fewer than 50% of their medical devices were connected to the Internet.
53% of surveyed healthcare IT staff said they believe the current cybersecurity threat level is high or extremely high, but despite the threat of cyberattacks, many healthcare organizations are failing to secure their connected medical devices. 57% of healthcare IT staff said they do not change the default username and password on their devices, even though the default usernames and passwords can easily be found online. 82% of healthcare organizations run their medical devices on outdated Windows systems, and 68% of healthcare IT staff said they do not always update the firmware on the devices when patches are made available.
“As a healthcare organization connects more medical devices to its network, its attack surface expands,” says Zach Capers, senior security analyst at Capterra. “Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it’s difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.”
Healthcare organizations need to be proactive and improve medical device security, which means conducting routine vulnerability assessments before connecting any medical devices to the network, maintaining an accurate inventory of all medical devices and the software and firmware associated with those devices, and monitoring for firmware updates and patches and ensuring that they are applied promptly when they are released.
The post Medical Practices with a High Percentage of Connected Medical Devices Experience More Cyberattacks appeared first on HIPAA Journal.