A surprising number of hospitals appear to be neglecting cyber and physical security (CPS) upgrades necessary to protect patient privacy as well as the internet-connected medical equipment that runs on their networks. Failure to make these updates and ensure their vendors are doing the same could compromise patient care and put hospitals at risk of ransomware attacks and loss of the Health Insurance Portability and Accountability Act (HIPAA) certification.
“Healthcare delivery organizations (HDOs) are at a pivotal point where cybersecurity can no longer be a reactive exercise. It must be a core business and strategic consideration for HDOs and manufacturers alike,” wrote the authors of the State of CPS Security Report: Healthcare 2023. A team of researchers from cybersecurity firm Claroty in New York City compiled the 36-page report from an open-source review of practices by major healthcare institutions and hundreds of medical device manufacturers in the United States.
Alarmingly, 22% of hospitals were found to be commingling public-facing guest networks used by visitors and patients for Wi-Fi access with the internal networks on which much of their life-sustaining medical equipment operates. “Of all the enclaves on a hospital network, clearly the guest network is the least secured and most exposed place for such critical devices to be connected,” write the authors.
Nearly 80% of hospital information systems containing patients’ private
health, insurance, and billing data are remotely accessible. As many as 40% of patient devices, 54% of surgical devices, and 66% of imaging devices are remotely accessible as well with many running on public-facing or guest networks.
Complicating matters are the hundreds of security patch updates issued each year for medical devices, some of which are running on unsupported, obsolete, or legacy software. An estimated 14% of medical devices and 7% of surgical devices are believed to be running on unsupported or end-of-life software including some with high rates of failure that could endanger patient safety.
“These devices include robotic surgery systems, defibrillators and gateways, ventilators, and systems central to anesthesia administration and monitoring,” the authors wrote.
The potential risks to patient safety and damage to a hospital’s reputation and risk of extortion are significant. According to the authors, ransomware attacks against hospitals increased 50% from 2021 to 2022. Of these, 61% culminated in ransoms being paid with an average payment of nearly $200,000.
The authors offer several recommendations to address these challenges, starting with a proper inventory of all connected medical devices and systems and their isolation from public-facing networks. Priority should be given to life-sustaining and surgical devices with a high consequence of failure and those most likely to be targeted by attackers.
Remote access should further be made contingent on proper provisioning of credentials and multifactor authentication. Finally, the authors called on U.S. Food and Drug Administration (FDA) officials to upgrade cybersecurity requirements for new medical device approvals and require manufacturers to address post-market vulnerabilities in these devices.
