Visibility Is Not Enough: Key Takeaways from Cynerio’s 2022 State of Healthcare IoT Device Security Report

Hospitals employ a wide variety of solutions and tools to gain insight into their IT infrastructure in attempts to identify and stop common cyberattacks. However, one increasingly popular vector remains beyond the reach of most IT security solutions – the mushrooming array of connected medical, enterprise IoT, and industrial OT devices that are common at all levels of patient care. There are already an estimated 10 billion IoT devices in today’s hospitals, a number that is expected to quintuple in the next decade. A recent Ponemon Institute study found that the root cause of a healthcare data breach or ransomware attack was equally liable to be due to an insecure medical or IoT device as caused by a phishing attack. However, while hospitals usually have an anti-phishing solution in place, IoT protection often falls between the cracks of the typical IT security stack, thus enabling future attacks.

On that note, today marks the release of Cynerio’s “State of Healthcare IoT Device Security Report,” put together by Cynerio’s in-house research team and based on their analysis of over 10 million connected devices collected from current Cynerio implementations at over 300 hospitals and other healthcare facilities in the US and around the world. The report delivers hard numbers about the kinds of connected devices hospitals tend to have, the critical risks those devices contain, and how to best protect healthcare IoT as threats and attacks continue to evolve.

Healthcare IoT Security by the Numbers

With hospitals under an unprecedented amount of strain from both the pandemic and the explosion of ransomware attacks on healthcare facilities, the report’s data was unequivocal that digital safety and patient safety are intimately intertwined, and that protecting the devices providing the care patients depend on is ultimately about safeguarding their health.

Some of the key takeaways about healthcare IoT device risks and remediation from the report include the following:

●     53% of connected medical and other IoT devices in hospitals have a known critical vulnerability, including a third of the bedside devices that patients most depend on for optimal health outcomes.

●     IV pumps make up 38% of a hospital’s typical healthcare IoT footprint, and almost three quarters of those IV pumps have a vulnerability that could jeopardize patient safety, data confidentiality, or service availability if exploited.

●     Most of the healthcare IoT devices used by oncology, pharmacology and lab departments run on Windows operating systems that have reached end of life, leaving the patients connected to those unpatchable devices vulnerable to attack. Additionally, a plurality of devices used by radiology, neurology and surgery departments are also running outdated versions of Windows.

●     Almost half of medical devices run on Linux, and the top 10 device manufacturers account for 64% of all devices. But once you get past the heavy hitters, operating systems and manufacturers in healthcare IoT are like the Wild West. No other operating system makes up even 10% of the remaining device volume, and almost 300 other manufacturers make the remaining third of devices not created by the top ten companies, making one-size-fits-all security approaches almost impossible.

●     While vulnerabilities like Urgent11 and Ripple20 have dominated healthcare IoT security headlines in recent years, their frequency of detection on actual devices paled in comparison to much more common, if boring, vulnerabilities like unchanged default passwords and settings, which are also much easier for attackers to exploit to boot.

●     Effective network segmentation of healthcare IoT addresses over 90% of the critical risks presented by connected devices in hospitals, but requires deep expertise and knowledge of specific medical environments to avoid security actions that interfere with clinical workflows and patient safety.

Time for Healthcare IoT Cybersecurity to Step It Up

Even with all the ongoing investment hospitals are making in good faith towards their cybersecurity, our data shows that critical risks remain active in many of the medical devices that hospitals rely on for providing patient care, and ransomware attacks have more than doubled year-over-year as the pandemic has continued. Clearly something is amiss when it comes to what is being offered by most of the healthcare IoT cybersecurity space, since threats are only getting more numerous and causing more damage. Collecting a detailed inventory of devices and their potential risks is no longer enough – attackers are taking advantage of every vulnerability they can find on hospital networks and leveraging them to steal patient data and shut down critical devices until a ransom is paid. Hospitals don’t need more bean counting – they need actionable tools, both reactive and preemptive, to immediately address live threats and critical risks so that they can act decisively when attacked.

Download the full “Cynerio 2022 State of Healthcare IoT Device Security Report” here and join us for our upcoming webinar on January 27th, where Cynerio CTO Daniel Brodie will do a deep dive on the report’s conclusions and explore their wider implications for the future of healthcare IoT cybersecurity.