Connected medical devices are the Achilles’ heel of healthcare orgs

The rising adoption of connected medical devices is accelerating cyberattacks, according to Capterra’s Medical IoT Survey of healthcare IT professionals. The survey also reveals that 67% of healthcare cyberattacks impact patient data and 48% impact patient care, an indication that rising security risks in the industry are leading to severe consequences in patient outcomes and privacy.

The medical internet of things (IoT) is helping to make healthcare more convenient, efficient, and patient-centric. However, connected devices with IoT sensors (e.g., glucose monitors, insulin pumps, defibrillators) often have unprotected security vulnerabilities that endanger healthcare facilities, and even patients. In fact, medical practices with more than 70% of their devices connected are 24% more likely to experience a cyberattack than practices with 50% or fewer connected devices.

“As a healthcare organization connects more medical devices to its network, its attack surface expands,” says Zach Capers, senior security analyst at Capterra. “Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it’s difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.”

53% of healthcare IT staff rate the cybersecurity threat level in the industry as high or extreme, yet many healthcare organizations are not taking the necessary steps to protect medical IoT devices. Alarmingly, 57% do not always change the default username and password for each new connected medical device that is put into use. Additionally, 82% run connected medical devices on old Windows systems.

If a security vulnerability is discovered, organizations should patch the device or update its firmware as soon as possible. Unfortunately, 68% of healthcare organizations don’t always update connected devices when a patch is available. However, vulnerabilities and associated patches aren’t always well publicized, which means healthcare IT staff must stay up-to-date on emerging threats to medical IoT devices.

Medical IoT security requires proactive and ongoing vigilance. Healthcare practices should conduct routine vulnerability assessments before connecting medical devices to their IT network. They should also keep an up-to-date and accurate inventory of all connected devices plus associated software and firmware, and use software to monitor these devices.