Endpoint Security , Healthcare , Industry Specific

Most Common Connected Devices That Pose Risk to Hospitals

Study: Unpatched Nurse Call Systems, Printers and IP Cameras Top the List
Most Common Connected Devices That Pose Risk to Hospitals
Nurse call systems, infusion pumps - and also non-medical connected gear - pose security risk to hospitals, says study. (Image: Getty Images)

A study of connected medical devices suggests nurse call systems may be among the riskiest devices in smart hospitals.

See Also: Frost Radar™ on Healthcare IoT Security in the United States

Security vendor Armis said it analyzed findings from its asset tracking platform, which manages 3 billion assets used in healthcare devices.

After looking for the devices with the greatest number of unpatched critical vulnerabilities, Armis identified nurse call stations as the worst offender, saying that 39% of them go without critical updates.

Infusion pumps came next, with 27% showing unpatched vulnerabilities with severity ratings of critical. The firm also found that about one-third of medication dispensing systems run on unsupported Windows operating systems.

Smart hospitals globally are expected to deploy over 7 million internet of medical things devices by 2026 - or more than 3,850 devices per smart hospital, according to a study conducted last year by research firm Juniper Research.

Many IoT device makers and users have lagged in updating these products to patch vulnerabilities, said Scott Singer, managing director of the University of Minnesota's Center for Medical Device Cybersecurity.

"I have come across many companies that have flat networks and don’t segregate these susceptible IoT devices," Singer said.

Jason Sinchak, who leads medical device cybersecurity research at security firm Level Nine Group, said that the type of automated/scanning analysis used in Armis' study does not appear to rate the vulnerabilities based on manual attempts to exploit and confirm the issue, or to factor in patient safety impact.

For that type of patient impact risk analysis, he suggested the Food and Drug Administration and MITRE's Rubric for Applying CVSS to Medical Devices.

"This generally changes the score in many ways," he said. "A common theme is that healthcare delivery organizations must take this information but then factor in patient safety before taking action."

The security of connected devices that play a role in healthcare is often overlooked, Sinchak said. The FDA has made it clear it expects manufacturers to make cybersecurity a higher priority, but connected devices haven't garnered the same sense of urgency (see: Exclusive: FDA Leader on Impact of New Medical Device Law).

"These are the unseen 'silent cyber' OT devices, such as HVAC, door access, refrigerators, power systems, etc. A cyber issue related to remote monitoring and control of those devices can take patient care offline," he said.

"These devices are often forgotten due to their complexity and involvement in ICS/SCADA controls that are hard to understand and never touched until there is an issue."

Sinchak said his firm has been assessing traditional OT devices, such as boiler systems used to heat buildings that are networked by the vendor without knowledge to the IT security teams in healthcare delivery organizations.

"What impact does the loss of a boiler have on a healthcare delivery organization? Significant, but almost never analyzed," he said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.