A U.S. Navy nurse explains to fellow staff members how to properly monitor and use an infusion pump Aug. 25, 2020, at NMRTC Naples, Italy. New research points to potential risks tied to IV pumps, though no specific brands were named. (Photo credit: "NMRTC Naples 2020 Semi-Annual Skills Fair 200825-N-ST386-300" by NavyMedicine is licensed under CC BY-NC-SA 2.0).

More than half of hospitals’ connected medical devices and IoT platforms operate with a known critical vulnerability, with the greatest risks found in IV pumps, according to a recent report from Cynerio.

Medical device security risks are well known in the healthcare sector. The complexity of the device ecosystem and reliance on legacy platforms have essentially forced security leaders to simply assess and accept a certain level of risk. 

The new Cynerio report shines a light on these key risks, which can support these leaders and system administrators in determining how to calculate that risk and what devices to prioritize in terms of patient safety risk.

To compile the report, Cynerio researchers analyzed more than 10 million IoT and IoMT devices from current Cynerio implementations at over 300 hospitals and healthcare facilities globally and in the U.S.

The report found one-third of bedside healthcare IoT devices have an identified critical list. It’s a serious patient safety risk, as they’re directly connected to patient care.

The riskiest device was deemed to be the ubiquitous IV pump, which makes up 38% of a typical hospital’s IoT footprint. Of those devices, 73% “have a vulnerability that would jeopardize patient safety, data confidentiality, or service availability if it were to be exploited by an adversary.” 

The second most vulnerable device was found to be the VOIP, with 50% of the healthcare environment’s IoT footprint. The list of most vulnerable healthcare devices also includes ultrasounds, patient monitors, medicine dispensers, gateways, IP cameras, PACS servers, computerized radiography systems, and DICOM.

The most common flaws in these devices are improper input validation (19%), improper authentication (11%), and device recall notice (11%).

What’s more, 79% of healthcare IoT devices are regularly used in the hospital environment, used monthly at the bare minimum or more frequently. With little downtime for the devices, it further adds to ongoing patch management and software update challenges, as well as risk analyses or segmentation efforts.

Cynerio also shed light on the most vulnerable devices, which is surprising, given multiple reports in the last year on the potential impact of ongoing vulnerabilities like Urgent11 and Ripple20. While those vulnerability reports are concerning, “the most common healthcare IoT risks are often much more mundane.”

“In many cases, a lack of basic cybersecurity hygiene is what is leaving healthcare IoT devices open to attack,” according to the report. The most frequent risks are tied to default passwords and device manuals and “settings that attackers can often obtain easily from manuals posted online.”

“Without IoT security in place, hospitals don’t have a simple way to check for these risks before attackers are able to take advantage of them,” it added. “Usually without healthcare IoT, security hospitals can still identify risky devices with lousy passwords, but shutting down services and changing passwords is going to be hugely difficult and complex.”

The researchers propose that the Urgent11 and Ripple 20 reports served to raise awareness on the importance of IoMT security, the flaws are only found in just 12 percent of devices and with attack vectors too difficult for hackers to successfully exploit.

Instead, the top 10 vulnerabilities and percentage of devices impacted include Cisco IP phones with 31% of a hospital’s footprint, weak HTTP credentials (21%), open HTTP port (20%), outdated SNMP version (10%), and shared HTTP credentials (10%).

Long lifecycles for platforms and devices

The report also found medical devices operating with Windows 10 or older, legacy platforms make up just a small fraction of the healthcare IoT infrastructure in a typical hospital environment. 

However, the legacy platforms are found in the majority of devices used by critical care sectors, including pharmacology (65%), oncology (53%), and laboratory (50%). Researchers also found a plurality of devices used by radiology (43%), neurology (31%), and surgery departments (25%). 

The high-level of use is concerning given the risks posed to the patient directly connected to the vulnerable devices, as “those older versions of Windows are already past the end of life and replacing the machines they run on will still take several years in most cases.”

Lastly, Linux is the most widely used operating system for medical devices, accounting for 46% of healthcare IoT devices, “followed by dozens of mostly proprietary operating systems with small chunks of the overall footprint.”

That means if an IT security program is designed to secure Windows machines, the mitigation measures are a poor fit for their IoT cybersecurity.

To shift the needle on IoT and medical device security, provider organizations must focus on network segmentation. Researchers note segmentation is most effective when it takes into account medical workflows and patient care contexts. Entities that follow this mantra can address 92% of critical connected device risks in hospitals.

To Cynerio, segmentation is “the most effective way to mitigate and remediate most risks that connected devices present.” As hospitals are “under an unprecedented amount of strain from both the pandemic and the explosion of ransomware attacks,” digital and patient safety are now fully entwined.

The report authors stressed device security is paramount to ensuring care continuity and safeguarding patient health.

The best-case scenario would see a risk fully remediated, through a vendor-provided patch or other means. But as noted, it’s not always possible for IoT devices that use “hundreds of different operating systems and are manufactured by a plethora of different vendors.”

And in healthcare, long device lifecycles are par for the course due to budget constraints and overall hospital policies, which means devices “outlast the period when a manufacturer even offers updates to prevent newly discovered vulnerabilities from potential exploitation.”

As stakeholders have consistently warned over the last year, a cyberattack on a patient-connected device, or a platform necessary to maintain care, “will impact patient safety, service availability or data confidentiality, either directly or as part of an attack's collateral damage.”