The healthcare sector is currently facing a multitude of challenges, including economic uncertainty, staff shortages, COVID-related backlogs, and limited public funding. Unfortunately, cyberattacks have further exacerbated the crisis, posing threats to both financial stability and patient care. In fact, cyberattacks targeting healthcare organizations increased by 45% last year, while the average cost of a breach rose by over 40% since 2020. With predictions pointing to healthcare as a prime target for cybercriminals by 2023, the stakes have never been higher.
The expansion of the digital landscape, particularly the Internet of Medical Things (IoMT), has left healthcare networks vulnerable to attacks. Devices such as remote monitoring systems and digital insulin pumps can unknowingly serve as entry points for attackers. Even more concerning, breaches in interconnected medical systems can lead to widespread disruption, affecting vital services and patient care. Recent ransomware attacks on Medstar Washington Hospital and André-Mignot teaching hospital in Paris have underscored this alarming reality. As Dr. Christian Dameff, Medical Director of Cybersecurity at UC San Diego Health, aptly puts it, “we are at a point where bits and bytes are meeting flesh and blood.” It is now more crucial than ever for security teams to secure the digital landscape of healthcare, safeguarding both the industry and the patients it serves.
One of the major reasons for the increased vulnerabilities in healthcare systems is the use of outdated operating systems and devices that are no longer supported by vendors with essential security updates. For example, many NHS GPs in the UK still rely on a decade-old version of Windows OS, leaving them exposed to unpatched vulnerabilities that can be exploited by malicious actors. Furthermore, numerous healthcare institutions continue to depend on legacy medical devices that cannot support the latest software updates or security features. These vulnerabilities are compounded by the fact that IoMT devices often lack proactive security measures. Weak default passwords, lack of encryption, and the absence of two-factor authentication are just a few examples of how IoMT devices are failing. These shortcomings open the door for attackers to access healthcare networks, compromise patient data, and hinder physicians’ abilities to provide care.
Moreover, the regulatory landscape is deficient in its focus on cybersecurity. While the MHRA is responsible for conducting conformity assessments of medical devices, their primary concern is operational feasibility rather than cybersecurity exposure. As a result, manufacturers may not be testing devices for vulnerabilities according to current standards. However, there is a growing awareness of security issues in the Extended Internet of Things (XIoT). Recent research has shown a 6% increase in vulnerabilities affecting XIoT devices from 2021 to 2022. Additionally, over 150 IoMT vulnerabilities have been disclosed in the past two years, indicating that medical networks are increasingly becoming a target for vulnerability assessment practices. Notably, vendor self-disclosures of XIoT vulnerabilities have surpassed those of third-party security companies’ research teams and independent researchers for the first time. This trend suggests that vendors are becoming more vigilant with their security assessment efforts, investing more effectively in cyber-physical systems security, and improving their product-security programs overall. Sustaining this level of vigilance will enable security teams to address and patch healthcare vulnerabilities before threat actors can exploit them.
However, despite the increasing rate of disclosures, vulnerable devices still abound within healthcare organizations. Managing and securing these devices pose significant challenges due to their physicality. Healthcare organizations often struggle to keep track of their IoT assets, especially in the case of sensors that are distributed across multiple sites. Additionally, many connected devices have design flaws that make them more susceptible to vulnerabilities and challenging to manage. For example, a device may have a complex user interface, increasing the likelihood of misconfiguration and poor security. In other cases, a device may require physical access for patches and maintenance, posing problems when managing a large number of units. Even organizations making a concerted effort to secure their XIoT estate can easily overlook a few devices. A single vulnerability is often all it takes for a breach to occur.
To mitigate these vulnerabilities, there needs to be a proactive approach to security in healthcare. Governmental bodies, including those in the UK and EU, are working on legislation to regulate XIoT security more closely, advocating for secure designs and faster action in addressing vulnerabilities. XIoT device vendors, particularly in high-risk areas like healthcare, must prioritize security. Developers and manufacturers are responsible for ensuring their products can be easily managed and supplied with regular updates. Healthcare organizations should also ensure they only acquire products and systems that meet regulatory security principles. Additionally, organizations implementing XIoT devices must exercise due diligence by thoroughly evaluating products and ensuring they address security basics such as vulnerability patching. For existing XIoT implementations, complete visibility of every device connected to the network is crucial. Automated asset discovery tools can assist in identifying connections and simplifying this task. Once all devices are identified, establishing a regular cadence for applying security updates is essential. Healthcare organizations should also consider implementing network hygiene measures such as network segmentation, which has proven to be highly effective in addressing critical vulnerabilities.
Given the ruthlessness of cybercriminals who are willing to endanger lives for financial gain, the security of healthcare’s XIoT estate must be a top priority. Connected devices often serve as an easy pathway for attacks and can cause major disruption. As the industry continues to develop, there should be a greater emphasis on security from XIoT device vendors, particularly in high-risk sectors like healthcare. Until then, organizations must remain vigilant and proactive in their efforts to secure their systems and protect the patients who rely on them. With the implementation of stringent security practices and collaboration among stakeholders, healthcare can navigate the critical threat of cloud and IoMT vulnerabilities successfully.