Cynerio Research Finds Critical Medical Device Risks in NHS Trusts
London, March 9, 2023 - Six years after WannaCry ransomware attacks disabled over 70,000 devices in NHS Trusts the United Kingdom is again facing a challenge in securing their medical technology. Traditionally conservative approaches to adopting connected devices are being challenged by rapid onboarding to meet the needs of healthcare facilities.
In its 2023 State of NHS Trust IoT Device Security Report, Cynerio found that cyber threats to NHS Trusts stemming from Internet of Things (IoT) devices is likely to grow in the near future. Data shows that 46% of medical devices analyzed had at least one known risk with 11.7% of devices having at least one critical risk. Among the devices most impacted by critical risks are those closest to patients including devices focused on managing radiation doses, treating cardiovascular diseases and imaging patients. Further, due to planned onboarding of additional devices in the near future, it’s likely that risks will quickly rise due to the increasingly connected deployments of those medical devices.
Additional report findings include:
- The Average NHS Trust Currently has Over 2,500 Connected Devices: From telephones and printers to critical patient systems including infusion pumps and patient monitors, there are typically thousands of devices - many of which are not properly patched, secured or blocked from unnecessary network communications.
- Many Devices are Unexpected with Surprising Origins: CT machines and lab equipment are expected devices within the walls of any healthcare facility. Unfortunately numerous other devices find their way into environments. Consumer electronics from manufacturers like Amazon (Alexa, Kindle, Tablets), Sony (Smart TVs, Playstations) and even Tesla are routinely found communicating on NHS Trust networks.
- Common Risks with Known Fixes are Widespread: Attacks ranging from DNS Poisoning to Ransomware often stem from vulnerabilities with known fixes that simply have not been applied. Hundreds of devices containing vulnerabilities with names like DNSpooq, EternalDarkness and Ripple20 are unaddressed despite known fixes and enable common attacks like ransomware.
- Most NHS Trusts Have a Brief Moment of Opportunity: The rates of device risk identified in this study are currently below those in the original study. In fact, the rates of critical risk (11.7%) are nearly five times lower than those found worldwide (53.0%) while the number of devices benefitting from network-level security practices like segmentation (36.7%) are nearly three times lower (92.0%). Anecdotal evidence suggests this is due to conservative adoption of connected devices with a rapid rise in risk as more devices are brought online.
“The WannaCry attacks of 2017 were a wake up call for not just the UK, but the entire world” said Chad Holmes, Cynerio’s Security Evangelist. “Fortunately for many patients in the UK, the immediate lessons learned resulted in a more conservative approach to connecting medical devices to the internet. Unfortunately the lower number of risks faced due to this conservative approach is often underappreciated as projects onboard more devices.”
Holmes further warns hospitals worldwide, “the United States and Ireland are perfect examples of what happens when devices are connected without fully considering the risks present. In 2021 Ireland’s Health Service Executive experienced widespread outages for five months across 40 hospitals with a total estimated recovery cost of over half a billion euros. The numbers are equally staggering in the US where hundreds of successful ransomware attacks on healthcare occur annually with estimated recovery costs often measured in tens of millions of dollars.”
For additional data and analysis, download a full version of the 2023 State of NHS Trust IoT Device Security Report and join Cynerio and their partner ITHealth for a webinar on March 29th for a deep dive into the reports key findings and implications for healthcare IoT security in the UK going forward.
Cynerio is the one-stop-shop Healthcare IoT security platform. With solutions that cater to healthcare’s every IT need—from Enterprise IoT to OT and IoMT—we promote cross-organizational alignment and give hospitals the control, foresight, and adaptability they require to stay cybersecure in a constantly evolving threatscape. We give you the power to stay compliant and proactively manage every connection on your own terms with powerful asset management, threat detection, and mitigation tools so you can focus on healthcare’s top priority: delivering quality patient care. For more information, visit us at http://www.cynerio.com/uk