Cybercriminals using medical devices to hack hospitals

Cybercriminals are taking advantage of all the connected medical devices within hospitals, and security for them is lacking, according to a report from Cynerio and the Ponemon Institute.

Security experts have been warning health care companies for years that these devices are vulnerable to hacking because their security features are often outdated or inadequate, if they have security at all.

More than half of the respondents said senior management did not require assurances that medical or internet-connected device risks were properly monitored or managed.

In the report, 56% of respondents said internet-enabled device attacks resulted in longer patient length-of-stays, while 48% of respondents said they resulted in theft of patient data. In contrast, only 3.4% of hospital IT budgets are spent on device security.

Part of the problem is with the explosion in the number of these devices, they are often overlooked. The report found that 67% of organizations don’t even keep an inventory of them, and there is no clear ownership in many organizations about who is responsible for protecting them.

The report showed that 49% don’t measure the effectiveness of device security procedures, compared to 46% who take proper security steps. Of those organizations who reported a breach in the past two years, 88% said at least one connected device was a contributing factor to the breach.

Unfortunately, the only thing that may change these lackadaisical approaches for some hospitals is for a serious event to occur where hackers breach the hospital through a device that results in a loss of revenue or damage to relationships with clinicians or business partners, according to the report.