53% of Connected Medical Devices Contain Critical Vulnerabilities

January 21, 2022 - More than half of connected medical devices and other IoT devices contain critical vulnerabilities, a new report by Cynerio discovered. If exploited, these vulnerabilities could be detrimental to patient safety and privacy.

In its analysis of IoT and IoMT (Internet of Medical Things) devices at more than 300 hospitals, Cynerio also found that 73 percent of IV pumps have a vulnerability that could jeopardize patient safety. IV pumps make up 38 percent of a hospital’s IoT footprint, making them one of the riskiest connected devices at any healthcare organization.

“It is healthcare that has led among all industries in how much their data breaches end up costing for over a decade now. Thanks to the volume of sensitive [protected health information] they contain that is useful for perpetrating identity fraud, medical records can fetch up to 50 times the amount that stolen credit cards get on the black market,” the report stated.

“Unfortunately, hospitals often lack visibility into the critical risks and attacks targeting the mushrooming array of connected medical, enterprise IoT, and industrial OT devices that are becoming increasingly common at all levels of patient care, with disastrous consequences.”

Medical device security remains a weak spot for healthcare organizations, especially since medical devices are notoriously difficult to patch. In addition, many hospitals have trouble maintaining an inventory of all the connected medical devices on their networks.

A lack of visibility, an ever-changing threat landscape, and out-of-date devices create a perfect storm for cyberattacks.

The report found that almost 80 percent of healthcare IoT devices get used monthly or even more frequently. This gives security teams very little downtime to properly patch them and conduct risk analyses.

IV pumps and patient monitoring devices topped Cynerio’s list of top connected medical devices in hospitals. In terms of non-medical IoT devices, VOIP phones and printers topped the list.

The most common IoT and IoMT device vulnerabilities stem from organizations maintaining default passwords and settings, Cynerio discovered. Cybercriminals may be able to easily obtain default passwords and settings from manuals posted online, allowing them easy network access.

“In contrast, vulnerabilities such as Urgent11 and Ripple20 were great for raising IoMT security awareness, but only affected about 10 percent of devices with attack vectors that are difficult for attackers to leverage successfully,” the report noted.

Researchers also found that most pharmacology, oncology, and laboratory devices were running versions of Windows older than Windows 10.

“This leaves patients connected to those devices vulnerable, since those older versions of Windows are already past end of life and replacing the machines they run on will still take several years in most cases,” the report continued.

Medical device security issues are difficult to contain due to the number of devices and the fact that they are constantly in use at most hospitals. However, adopting basic cyber hygiene practices such as regularly changing passwords and educating employees can help mitigate risk.

“When it comes to medical devices specifically, long device lifecycles tend to mean that devices will outlast the period when a manufacturer even offers updates to prevent newly discovered vulnerabilities from potential exploitation,” the report advised.

“That makes mitigation the best available option when remediation is unviable. Mitigating a risk through ‘virtual patching’ is often the best possible security alternative so that vulnerabilities and risks a manufacturer will no longer patch themselves can still be protected against.”

Organizations should also have plans in place to protect their networks should a medical device be exploited. Quarantining devices and implementing network segmentation may not prevent attacks entirely, but they will reduce the scope of the attacks and mitigate further damage.