More Than 50% of All Healthcare IoT Devices Have an Identified, Unpatched Critical Vulnerability

The latest research by Cynerio, a healthcare IoT security platform provider, has shown that 53% of connected medical devices and other healthcare IoT devices have at the least one unresolved critical vulnerability that can probably be taken advantage of to acquire access to systems and sensitive records or impact the availability of the devices. The researchers likewise identified one-third of bedside healthcare IoT devices have a minimum of one unpatched critical vulnerability that may impact service availability, data privacy, or put patient safety at risk.

The researchers assessed the connected device footprints at over 300 hospitals to determine threats and vulnerabilities existing in their Internet of Medical Things (IoMT) and IoT devices. The most often utilized healthcare IoT device is IV pumps, which constitute approximately 38% of a hospital’s IoT footprint. These devices were known to be the most susceptible to attack, as 73% got a vulnerability that can jeopardize patient safety, service accessibility, or cause information theft. 50% of VOIP systems included vulnerabilities, with patient monitors, ultrasound devices, and medication dispensers the next most unsecured device types.

The lately reported Urgent11 and Ripple20 IoT vulnerabilities are obviously a reason for concern; nevertheless, there are far more prevalent and quickly exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities have an effect on close to 10% of medical IoT and IoMT devices, although the most well-known risk was weak credentials. Standard passwords can simply be located in online device guides and weak passwords are prone to brute force attacks. 1/5 or 21% of IoT and IoMT devices were identified to have default or inadequate credentials.

Most pharmacology, oncology, and laboratory units and substantial numbers of the gadgets employed in neurology, radiology, and surgery sections were using obsolete Windows versions (older than Windows 10) which are likely vulnerable.

Unaddressed software programs and firmware vulnerabilities are usual in bedside gadgets, with the most usual being wrong input validation, inappropriate authentication, and the ongoing usage of devices for which a device recall alert was given. With no visibility into the devices connected to the network and detailed stock of all IoT and IoMT devices, determining and responding to vulnerabilities before attackers exploit them will be a serious challenge and it is going to be inescapable that certain devices will continue to be vulnerable.

A lot of medical instruments are utilized in critical care settings, where very minimal downtime happens. Over 80% of healthcare IoT devices are employed every month or more often, which provides security teams a short time to identify and deal with vulnerabilities and separate the network. An IT solution ready that could provide visibility into interconnected medical devices and give key details on the security of those equipment will allow security teams to determine vulnerable devices and schedule updates.

Frequently, it’s not possible to use patches. In many cases, medical IoT devices are in continual use and they are usually utilized beyond the end-of-support time. In these instances, the best security choice is virtual patching, where steps are undertaken to avert the exploitation of vulnerabilities like quarantining devices and sectioning the system.

Sectioning the network is one of the most critical steps to take on to strengthen healthcare IoT and IoMT security. When segmentation is done that takes into account healthcare workflows and patient care situations, Cybnerio claims 92% of critical risks in IoT and IoMT devices may be successfully mitigated.

Nearly all medical IoT and IoMT cybersecurity initiatives are targeted on developing a complete inventory of all IoT and IoMT devices and getting data concerning those devices to determine probable risks. Hospitals and health networks don’t require more information – they need to have innovative solutions that minimize risks and enable them to combat cyberattacks, and as medical device security specialists, it’s time for all of us to step up.