Through the Internet of Medical Things (IoMT), an array of medical devices have been connected to the Internet, allowing them to be operated, configured, and monitored remotely. These devices can transmit medical data across the Internet to clinicians allowing rapid action to be taken to adjust treatments and data collected from the devices can be automatically fed into electronic medical records. The use of IoMT devices is growing at an extraordinary rate, with the number of devices used by smart hospitals expected to double from 2021 levels to 7 million IoMT devices by 2026.

While Internet-connected medical devices offer important benefits, they also increase the attack surface considerably. Vulnerabilities in IoMT devices are constantly discovered that can potentially be exploited by malicious actors to gain access to the devices and the networks to which the devices connect. According to a 2022 report from the FBI, 53% of digital medical devices and other Internet-connected devices contain at least one unpatched critical vulnerability.

The asset visibility and security company Armis has recently conducted a comprehensive analysis of data collected from medical and IoT devices to identify the riskiest IoMT and IOT devices. The data came from more than 3 billion assets that are tracked through the Armis Asset Intelligence and Security Platform. The analysis revealed the riskiest connected medical devices were nurse call systems, 39% of which had unpatched critical vulnerabilities and 48% had other unpatched vulnerabilities. A critical vulnerability is a flaw that can be exploited in a direct or indirect attack by a malicious actor that will result in decisive or significant effects. If flaws in medical devices are exploited, hackers could gain access to the networks to which the devices connect, steal sensitive data, or alter the functionality of the devices themselves and put patient safety at risk.

Infusion pumps were the second riskiest connected medical device with 27% of analyzed devices having at least one unpatched critical flaw and 30% having other unpatched vulnerabilities, followed by medication dispensing systems with 4% containing unpatched critical flaws and an astonishing 86% having other unpatched vulnerabilities. Armis notes that 32% of the analyzed medication dispensing systems were running on unsupported Windows versions. Overall, across all connected medical devices, 19% were running on unsupported operating systems, as IoMT devices often have lifespans that exceed the lifespans of the operating systems on which they run.

IoT devices can also introduce considerable risks and provide hackers with an easy opportunity to gain a foothold in healthcare networks. Armis monitors IP cameras in clinical environments and found that 56% have unpatched critical vulnerabilities and 59% had other unpatched vulnerabilities, which makes IP cameras the riskiest IOT devices, followed by printers (37%/30%) and VoIP devices (53%/2%).

Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” said Mohammad Waqas, Principal Solutions Architect for Healthcare at Armis. “Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”

The growing number of wireless, Internet- and network-connected devices and increasing cybersecurity threats targeting the healthcare sector prompted the U.S. Food and Drug Administration (FDA) to take action. Manufacturers of medical devices will soon be required to provide information about the cybersecurity of their devices in pre-market submissions as part of a drive to improve medical device cybersecurity. Those requirements include a software bill of materials to allow vulnerable components to be identified and patched, cybersecurity measures to secure the devices and sensitive data, and a plan to issue security updates for the lifespan of the devices.

The post Riskiest Connected Medical Devices Revealed appeared first on HIPAA Journal.