Over Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

A current study by Cynerio, a healthcare IoT security platform provider, has uncovered that 53% of connected medical devices and other healthcare IoT devices have no less than one unaddressed critical vulnerability that can possibly be exploited to obtain access to networks and sensitive information or impact the availability of the devices. The researchers additionally discovered 1/3 of bedside healthcare IoT devices have at the least one unpatched critical vulnerability that may have an effect on service availability, data confidentiality, or place patient safety in danger.

The researchers examined the connected device footprints at about 300 hospitals to identify dangers and vulnerabilities present in their Internet of Medical Things (IoMT) and IoT devices. The most frequently utilized healthcare IoT device is IV pumps, which make up about 38% of a hospital’s IoT footprint. These devices were known to be the most susceptible to attack, as 73% got a vulnerability that may endanger patient safety, service accessibility, or bring about data theft. 50% of VOIP systems comprised vulnerabilities, with patient monitors, ultrasound devices, and drugs dispensers the next most susceptible device classes.

The recently announced Urgent11 and Ripple20 IoT vulnerabilities are normally a cause for concern; nonetheless, there are a lot more prevalent and easily exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities have an effect on about 10% of healthcare IoT and IoMT devices, nevertheless, the most well-known risk was weak credentials. Normal passwords can quickly be found in online device manuals and weak passwords are prone to brute force attacks. One-fifth or 21% of IoT and IoMT devices were identified to have default or poor credentials.

Almost all pharmacology, oncology, and laboratory gadgets and big numbers of the gadgets employed in neurology, surgery, and radiology departments were operating on out-of-date Windows versions (older than Windows 10) which are possibly vulnerable.

Unaddressed software and firmware vulnerabilities are prevalent in bedside gadgets, with the most well-known being incorrect input validation, poor authentication, and the continuing use of devices for which a device recall notice was issued. Without visibility into the devices linked to the network and a thorough inventory of all IoT and IoMT devices, identifying and dealing with vulnerabilities before hackers exploit them will be a big challenge and it is going to be unavoidable that some devices will stay vulnerable.

Numerous medical gadgets are utilized in critical care settings, where very little downtime occurs. About 80% of medical IoT devices are employed month-to-month or more regularly, which gives security teams a short time to determine and address vulnerabilities and segment the network. An IT solution set up that could provide visibility into linked medical devices and give key information on the security of that equipment will enable security teams to identify vulnerable devices and prepare for updates.

Often, it isn’t possible to apply patches. Quite often, healthcare IoT devices are in continuous use and they are often used past the end-of-support date. In such cases, the best security option is virtual patching, where steps are done to avoid the exploitation of vulnerabilities such as quarantining devices and segmenting the system.

Segmenting the network is one of the most crucial steps to undertake to enhance medical IoT and IoMT security. When segmentation is carried out that considers medical workflows and patient care contexts, Cybnerio states 92% of critical risks in IoT and IoMT devices could be efficiently mitigated.

The majority of healthcare IoT and IoMT cybersecurity work are targeted at making a detailed inventory of all IoT and IoMT devices and collecting information regarding those devices to see possible risks. Hospitals and health systems don’t require more data – they need to have sophisticated solutions that offset risks and empower them to fight cyberattacks, and as medical device security experts, it’s time for all of us to step up.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA