Cynerio Research Finds Critical Medical Device Risks Continue to Threaten Hospital Security and Patient Safety

Following surge in cyber attacks on the healthcare sector, new report finds over half of medical devices contain critical vulnerabilities despite increased investments in security
Willa Hahn
Jan 19, 2022
Press Releases

NEW YORK, NY, January 19, 2022 – After a year of unprecedented ransomware attacks on hospitals and healthcare systems – and with healthcare now the #1 target for cybercriminals – critical medical device risks in hospital environments continue to leave hospitals and their patients vulnerable to cyber attacks and data security issues. 

In its 2022 State of Healthcare IoT Device Security Report, Cynerio, found that security threats related to IoT and related devices within healthcare environments have remained sorely under-addressed, despite increased investments in healthcare cybersecurity. Data shows that 53% of connected medical devices and other IoT devices in hospitals have a known critical vulnerability. Additionally, a third of bedside healthcare IoT devices – which patients most depend on for optimal health outcomes – have an identified critical risk. If attacked, these vulnerabilities could impact service availability, data confidentiality, or patient safety – with potentially life-threatening consequences for patient care. 

Additional report findings include:

  • IV Pumps Are the Most Common Healthcare IoT Device and Possess a Lion’s Share of Risk: IV pumps make up 38% of a hospital’s typical healthcare IoT footprint and 73% of those have a vulnerability that could jeopardize patient safety, data confidentiality, or service availability if it were to be exploited by an adversary. 
  • Healthcare IoT Running Outdated Windows Versions Dominate Devices in Critical Care Sectors: Devices running versions older than Windows 10 account for the majority of devices used by pharmacology, oncology, and laboratory devices, and make up a plurality of devices used by radiology, neurology, and surgery departments, leaving patients connected to these devices vulnerable. 
  • Default Passwords Remain a Common Risk: The most common IoMT and IoT device risks are connected to default passwords and settings that attackers can often obtain easily from manuals posted online, with 21% of devices secured by weak or default credentials.
  • Network Segmentation Can Reduce Critical IoMT and IoT Risk: Network segmentation can address over 90 percent of the critical risks presented by connected medical devices in hospitals and is the most effective way to mitigate most risks presented by connected devices.  

“Healthcare is a top target for cyber attacks, and even with continued investments in cybersecurity, critical vulnerabilities remain in many of the medical devices hospitals rely on for patient care,” said Daniel Brodie, CTO and co-founder, Cynerio. “Visibility and risk identification are no longer enough. Hospitals and health systems don’t need more data – they need advanced solutions that mitigate risks and empower them to fight back against cyber attacks, and as medical device security providers it's time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death.” 

For additional data and analysis, download a full version of the State of Healthcare IoT Device Security Report and join Cynerio for a webinar on January 27th for a deep dive into the report’s key findings and implications for healthcare IoT security going forward. 

Report Methodology

Cynerio collects detailed information about a hospital’s connected device footprint through a patented connector that is typically placed on the core switch’s SPAN port. This allows Cynerio to passively monitor the network traffic of connected devices immediately without putting confidential data at risk. Using our research team’s deep healthcare expertise Cynerio can parse hundreds of proprietary device protocols to analyze device metadata, classify devices, and compile information about their risks and vulnerabilities. Analysis is performed through a combination of meticulous investigation by the Cynerio research team and artificial intelligence. Cynerio does not analyze or collect any electronic personal health information as part of this process. The data in this report is based on our analysis of over 10 million IoT and IoMT devices collected from current Cynerio implementations at over 300 hospitals and other healthcare facilities in the US and around the world. All data is completely anonymized.

About Cynerio 

Cynerio is the one-stop-shop Healthcare IoT security platform. With solutions that cater to healthcare’s every IT need – from Enterprise IoT to OT and IoMT – we promote cross-organizational alignment and give hospitals the control, foresight, and adaptability they require to stay cyber-secure in a constantly evolving threatscape. We empower healthcare organizations to stay compliant and proactively manage every connection on their own terms with real-time IoT attack detection and response and rapid risk reduction tools, so that they can focus on healthcare’s top priority: delivering quality patient care. For more information visit, or follow Cynerio on Facebook, Twitter, and LinkedIn.

Media Contact

Willa Hahn
ARPR, on behalf of Cynerio

Keep your finger on the pulse of Healthcare IoT security

Get Your Free Pass to HIMSS21

August 9 -13, Las Vegas

HOW? Easy! If you are a Healthcare IT Executive and you book a 30-minute call with us before July 30th, you get a free pass (valued at $1295)

Book a Call

*Please note that there is limited pass availability