Increased connected medical device use has been great for physician and patient convenience but not so great for keeping patient data safe, according to a recent Capterra Medical IoT Survey. The survey, which was conducted in October 2022 with 151 U.S. respondents, revealed that 67 percent of healthcare cyberattacks impacted patient data and almost half of them (48 percent) impacted patient care. The fact that so many of these attacks are doing damage is a sign that increased security risks in the medical industry are resulting in severe consequences in patient outcomes and privacy.
Medical internet of things (IoT) has helped make healthcare more efficient, convenient and patient-friendly, so eliminating it would not be the best solution for fighting off these cyberattacks. It is imperative that a remedy is found, however, as many connected IoT sensors have security vulnerabilities that could endanger healthcare facilities and patients. These vulnerable devices include glucose monitors, insulin pumps and defibrillators.
“As a healthcare organization connects more medical devices to its network, its attack surface expands,” Zach Capers, senior security analyst at Capterra, said in the report. “Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it is difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.”
Inaction is a factor
Part of the issue that is that while more than half (53 percent) of healthcare IT staff noted the industry’s cybersecurity threat level as “high” or “extreme,” a lot of healthcare organizations are not taking the necessary action to protect their medical IoT devices. Meanwhile, almost 60 percent of organizations do not change the default username and password of their new connected medical devices when they are put into use, according to the survey. Additionally, more than 80 percent run their connected medical devices on old Windows systems.
When a security vulnerability is detected, medical organizations should patch the device or perform a firmware update as soon as possible. Today 68 percent of healthcare organizations do not always update connected devices when a patch is available. Also, the vulnerabilities and associated patches are not always well publicized, so healthcare IT staff is tasked with staying up to date on any emerging threats to medical IoT devices.
Best protection for IoT devices
Maintaining medical IoT security requires being consistently proactive and vigilant. Additionally, healthcare care practices would be best served to conduct routine vulnerability assessments before connecting medical devices to their IT network. Keeping a current and accurate inventory of all connected devices, associated software and firmware would also limit vulnerabilities. Organizations should use software to monitor these devices, according to Capterra’s report.
Additional strategies include creating virtual local area networks (VLANs) to separate different devices and data flows. This keeps an organization’s network out of “one basket” and minimizes overall risk.
Click here to read Capterra’s full report on medical IoT device security.