How Healthcare Organizations Can Combat the Latest Cybersecurity Threat: Medical Devices Connected to the IoT

The healthcare industry is no stranger to cybersecurity threats. It incurred 41% of cyberattacks and data breaches in 2018, the most of any industry (financial services took a distant second place with 20% of cyber incidents.) Healthcare also topped the list in ransomware attacks, with 34% of attacks in 2018. And within this already beleaguered landscape, a new type of threat is rapidly emerging. Medical devices connected to the Internet of Things (IoT) present a new frontier in cybersecurity challenges for the healthcare industry.

Medical devices range from hospital infrastructure like infusion pumps and CT scanners to patient tracking and identification systems to devices inside actual patients, like pacemakers and defibrillators. When connected as part of the “Internet of Medical Things,” or “IoMT,” these devices offer tremendous opportunity to improve patient care by providing healthcare providers with the data they need to identify and treat issues and ensure that patients follow their doctor’s orders. Although healthcare lagged behind other industries in leveraging the IoT, it’s quickly catching up: Allied Market Research predicts that the IoT healthcare market will reach $136.8 billion worldwide by 2021, with 3.7 million connected medical devices already in use today.

An evolving landscape: challenges with healthcare IoT

Here’s the rub: 39% of healthcare IoT devices still operate on legacy platforms, while the majority of healthcare information technology, in general, relies on outdated operating systems like Windows. This discrepancy between cutting-edge connectivity and traditional backend technology not only presents challenges for IT teams, but it opens up a broad - and weakly supported - attack surface for cybercriminals.

Legacy operating systems aren’t the only problem. The software that runs on those systems frequently falls behind as well. Healthcare organizations struggle to keep pace with their rapidly expanding systems and the required cybersecurity vigilance. The industry knows that it must embrace technology to power digital transformation, but, according to recent research, “limited resources and IT staffing gaps hinder the ability of organizations to transition into more secure platforms.”

Hackers, unfortunately, are well aware of these challenges. 2017’s WannaCry cyberattack targeted the UK’s National Health Service by exploiting a vulnerability in Microsoft Windows. The attack infected both computers and diagnostic equipment and caused the NHS to cancel thousands of appointments and operations. While the organization stressed that “no harm was caused to patients and there were no incidents of patient data being compromised or stolen,” the attack clearly demonstrated the potential impact of a ransomware attack on a healthcare organization.

A cyber group called Orangeworm also went after the healthcare industry with a broad-scale malware attack in 2018. Orangeworm hit organizations across the healthcare supply chain, such as healthcare providers, pharmaceutical firms, healthcare information technology providers, and healthcare equipment manufacturers.

Targets also included medical device manufacturers. “Symantec found the Kwampirs malware on machines that had software installed for the use and control of medical imaging machines, such as x-rays and MRIs, and machines used to assist patients in completing procedure consent forms,” Health IT Security reported. “This method has likely proven effective within the healthcare industry, which may run legacy systems on older platforms.”

Cybersecurity considerations with connected medical devices

Which brings us back to medical devices. Cyberattacks specific to medical devices remain rare, but because many devices use common operating systems, they are often affected by indiscriminate attacks tied, again, to aging architectures.

Experts also predict that medical devices will become more attractive to bad actors as levels of connectivity increase. Pacemakers already show vulnerabilities to attack - and it doesn’t stop there. GlobalData medical device analyst David Brown, speaking with Verdict Medical Devices earlier this year, shared that teams have already discovered potential vulnerabilities in defibrillators that would enable an attacker to access devices, deplete battery stores, or issue improper cardiac pacing commands. Brown also revealed that an Israeli research group found that CT scanners with outdated software were vulnerable to attack, including allowing radiation to be adjusted to harmful levels.

These ramifications, which would be directly harmful to human lives, make medical device cybersecurity such a critical area of study. While hackers so far continue to show preference for large-scale, corporate-level attacks, it is frighteningly easy to imagine how ransomware could be used at the personal level. When attackers target medical devices, they aren’t just taking data hostage, but using medical technology to ransom people’s lives.

How healthcare organizations and manufacturers can combat medical device cybercrime

What can be done to combat medical device cyberattacks? First, manufacturers must play a role in securing their devices. This includes ensuring that security is “baked in” from inception and backed by the latest cybersecurity research from the healthcare industry and beyond. Medical device manufacturers must also stay vigilant on current vulnerabilities and release patches as quickly as possible to protect against them. The FDA’s risk-based medical device regulation provides guidance in how to best approach these imperatives.

For healthcare organizations, combating cyberattacks often comes back to a familiar adage: “an ounce of prevention is worth a pound of cure.” Prevention in this case depends on good cyber hygiene.

Staff members and clinicians should be fully trained to use technology in a secure way; even small steps like stronger passwords can make a significant difference. In-house experts can be added to the healthcare information technology team, such as medical technologists or medical device security engineers who combine biomedical, IT, and security training to lead the department in the fight against cybercrime.

Maintaining full visibility into medical devices and their ecosystems also plays a critical role in healthcare cybersecurity. Comprehensive monitoring and analysis both creates a baseline of what’s “normal” and signals anomalies. By knowing what you have, you can take proactive steps to mitigate and minimize risk, like network segmentation and removing devices from the network.

Finally, healthcare organizations must institute a modern patch management strategy. This is a critical component of strong cyber hygiene. Remember the WannaCry attack? Microsoft released a patch addressing the vulnerability two months before the incident. While the scale of healthcare systems can make patch management challenging, and the legacy operating systems further complicate technology maintenance, it remains an integral element of protection against today’s sophisticated cyber attacks.

Learn more about our cloud-native modern approach to patch management at Or, feel free to connect with an Automox expert directly.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.