23% of connected healthcare devices vulnerable to attack

By Dylan Bushell-Embling
Wednesday, 13 March, 2024

Nearly one in four (23%) medical devices used in healthcare settings and connected to healthcare organisation networks are vulnerable to attack by hackers, according to a new report from IoT security company Claroty.

The report found that despite the healthcare sector being the most targeted industry in Australia for cyber attacks, hospitals have not taken the required steps to address known vulnerabilities.

An analysis of the networks of healthcare organisations such as hospitals and clinics discovered 63% of all known exploited vulnerabilities tracked by the US Cybersecurity and Infrastructure Security Agency on those networks, the report states. It found that 23% of medical devices, including imaging devices, clinical IoT devices and surgery devices, have at least one such vulnerability.

In addition, 22% of hospitals have connected devices that bridge guest networks such as those for patients and visitors with internal networks, creating a dangerous attack vector. Perhaps most concerningly, 4% of surgical devices communicate on guest networks.

The report also found that 14% of connected medical devices are running on unsupported or end-of-life operating systems. Of these, 32% are imaging devices and 7% are surgical devices.

Finally, the research found that a high proportion of medical devices with a high consequence of failure, including defibrillators, robotic surgery systems and defibrillator gateways, are remotely accessible. This also includes 66% of imaging devices, 54% of surgical devices and 40% of patient devices.

Claroty VP of Research Amir Preminger said the findings show that the connectivity revolution in healthcare settings has been a double-edged scalpel.

“Connectivity has spurred big changes in hospital networks, creating dramatic improvements in patient care with doctors able to remotely diagnose, prescribe and treat with a never-before-seen efficiency,” he said. “However, the increase in connectivity requires proper network architecture and an understanding of the exposure to attackers that it introduces. Healthcare organisations and their security partners must develop policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. This includes secure remote access, prioritising risk management and implementing segmentation.”

The report, State of CPS Security Report: Healthcare 2023, can be found here.

Image credit: iStock.com/Caiaimage/Martin Barraud