HIMSS23: Internet of things creates new ways to hack into medical computer networks

Cybersecurity firm analyzes what devices are most vulnerable.

medical computer © Suriyo - stock.adobe.com

© Suriyo - stock.adobe.com

Physicians, watch out – your clinician colleagues may have work stations open to hacking attacks.

Nurse call systems are the riskiest devices open to malicious computer activity in hospitals and clinical environments, according to a study by cybersecurity consultant Armis. Cameras, printers, and voice over internet protocol (VoIP) devices also rank among internet-of-things (IoT) devices vulnerable to attack.

“These numbers are a strong indicator of the challenges faced by healthcare organizations globally Mohammad Waqas, principal solutions architect for healthcare, said in a statement. The company released its findings in conjunction with its presentation at HIMSS23 in Chicago.

“Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” Waqas said. “Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”

Connecting devices to supply patient data to electronic medical records will help improve patient care, but more devices could create more security vulnerabilities. By 2026, smart hospitals are expected to engage more than 7 million devices on the internet of medical things, according to Armis.

Tracking vulnerabilities

Armis examined data from connected devices and found:

  • 39% of nurse call systems have critical severity unpatched common vulnerabilities and exposures (CVEs), and 48% have unpatched CVEs.
  • 27% of infusion pumps have critical severity CVEs, and 30% have unpatched CVEs
  • 4% of medication dispensing systems have critical severity CVEs, but 86% have other unpatched CVEs and 32% run on unsupported versions of Windows.
  • 19% of connected medical devices run on unsupported operating systems.

For other devices used in medical environments, cameras fare worst, with 56% having critical severity CVEs and 59% having unpatched CVEs. Printers rank second with 37% having unpatched CVEs and 30% with CVEs of critical severity. Among VoIP devices, 53% have unpatched CVEs, but only 2% of those are of critical severity, according to Armis.

The data come from more than 3 billion connected medical and IoT devices in Armis’ Asset Intelligence and Security Platform. The California-based company provides cyber asset management, risk management, and automated enforcement for Forune 100 companies around the world.

Related Videos
Michael J. Barry, MD
Hadi Chaudhry, President and CEO, CareCloud
Claire Ernst, JD, gives expert advice
Arien Malec
remote patient monitoring
Deven McGraw, JD, MPH, gives expert advice
Deven McGraw, JD, MPH, gives expert advice
Brian Linder
Christopher Hobson, MD, gives expert advice
© 2023 MJH Life Sciences

All rights reserved.