More than half of the internet-connected medical devices in hospitals have known vulnerabilities that can put patients’ data and health at risk, a new report shows. The researchers said security threats within healthcare environments remain under-addressed, despite large investments, and much more is needed to ensure that hospitals systems are safe from hacking attacks. 

Health organizations are an attractive target for hackers because of their medical and billing information from patients, which can then be sold for insurance fraud or even be used to extort money from the hospital. Hackers can get a big profit, with medical records sold at the black market valued at 50 times more than stolen credit cards.

A hospital’s database can be breached in several ways. The easiest option is social hacking — obtaining credentials from one of the individuals with legitimate access to the network. The second option, much more challenging, involves using brute force to gain access to the network of a health center in an unauthorized way.

A study from 2019 identified over 1,400 hospital-related breaches between 2009 and 2019, affecting 170 million people. The researchers classified the leaked data into three categories: medical information, including diagnoses and treatment, demographic, such as names and addresses, and financial, such as payment info. 

“Healthcare is a top target for cyber-attacks, and even with continued investments in cybersecurity, critical vulnerabilities remain in many of the medical devices hospitals rely on for patient care,” Daniel Brodie, co-founder of Cynerio, said in a statement. “Hospitals and health systems don’t need more data – they need advanced solutions.”

Vulnerable devices

The healthcare cybersecurity company Cynerio went through data from 10 million devices at 300 healthcare facilities and hospitals. The report showed that 53% of all connected medical devices have at least one vulnerability. Additionally, a third of the bedside devices, which patients rely on for their health, have a known critical risk.

Infusion pumps are the most common type of device connected to the internet in hospitals, accounting for 12% of all devices, researchers found. Pumps are also the device most likely to have vulnerabilities that can be exploited by hackers. This creates a big risk, as someone could hack the system and change the dosage of a medication, for instance.

Most hospital devices are used at least once a month. While this is great for hospitals in terms of getting a good return on the investment, it has consequences for the security of the devices, the report found. If they are frequently used, it means that it can be difficult for hospitals to find the time to update the security of the devices. 

“Without robust healthcare security in place, hospitals are sitting on a ticking time bomb,” the report reads. “A ransomware attack may be able to take down the majority of their IoT (internet of things) infrastructure and the hospital won’t have any visibility into how to proactively prevent the attack or shut it down once it’s launched.” 

Where do hospitals go from here, then? Cynerio’s report said most of the vulnerabilities in devices can be fixed with relative ease, especially because many vulnerabilities are linked to default passwords and settings that hackers can get easily from manuals posted online. It’s a good place to start, but there’s still a long way to go.

The full report can be accessed here.