Most Common Connected Devices That Pose Risk to Hospitals – Source: www.databreachtoday.com

Endpoint Security
,
Healthcare
,
Industry Specific

Study: Unpatched Nurse Call Systems, Printers and IP Cameras Top the List

Marianne Kolbasuk McGee (HealthInfoSec) •
April 24, 2023    

A study of connected medical devices suggests nurse call systems may be among the riskiest devices in smart hospitals.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

Security vendor Armis said it analyzed findings from its asset tracking platform, which manages 3 billion assets used in healthcare devices.

After looking for the devices with the greatest number of unpatched critical vulnerabilities, Armis identified nurse call stations as the worst offender, saying that 39% of them go without critical updates.

Infusion pumps came next, with 27% showing unpatched vulnerabilities with severity ratings of critical. The firm also found that about one-third of medication dispensing systems run on unsupported Windows operating systems.

Smart hospitals globally are expected to deploy over 7 million internet of medical things devices by 2026 – or more than 3,850 devices per smart hospital, according to a study conducted last year by research firm Juniper Research.

Many IoT device makers and users have lagged in updating these products to patch vulnerabilities, said Scott Singer, managing director of the University of Minnesota’s Center for Medical Device Cybersecurity.

“I have come across many companies that have flat networks and don’t segregate these susceptible IoT devices,” Singer said.

Jason Sinchak, who leads medical device cybersecurity research at security firm Level Nine Group, said that the type of automated/scanning analysis used in Armis’ study does not appear to rate the vulnerabilities based on manual attempts to exploit and confirm the issue, or to factor in patient safety impact.

For that type of patient impact risk analysis, he suggested the Food and Drug Administration and MITRE’s Rubric for Applying CVSS to Medical Devices.

“This generally changes the score in many ways,” he said. “A common theme is that healthcare delivery organizations must take this information but then factor in patient safety before taking action.”

The security of connected devices that play a role in healthcare is often overlooked, Sinchak said. The FDA has made it clear it expects manufacturers to make cybersecurity a higher priority, but connected devices haven’t garnered the same sense of urgency (see: Exclusive: FDA Leader on Impact of New Medical Device Law).

“These are the unseen ‘silent cyber’ OT devices, such as HVAC, door access, refrigerators, power systems, etc. A cyber issue related to remote monitoring and control of those devices can take patient care offline,” he said.

“These devices are often forgotten due to their complexity and involvement in ICS/SCADA controls that are hard to understand and never touched until there is an issue.”

Sinchak said his firm has been assessing traditional OT devices, such as boiler systems used to heat buildings that are networked by the vendor without knowledge to the IT security teams in healthcare delivery organizations.

“What impact does the loss of a boiler have on a healthcare delivery organization? Significant, but almost never analyzed,” he said.