Hospitals around the world could be running up to 80,000 exposed devices at any given moment. According to a report by Trend Micro, this will put hospital operations, data privacy and patient health at extreme risk.
In the security giants latest report, Securing Connected Hospitals, claimed medical devices, databases, digital imaging systems, protocols, industrial controllers and systems software have increased the average providers attack surface significantly.
This means they are now in risk of DDoS, ransomware attack and data theft. By using the DREAD threat assessment model, the report found that the biggest risk is DDoS and is then followed by ransomware. Ransomware has had a global impact on hospitals, with NHS trusts being one, which were attacked on a large scale by the WannaCry attack back in 2017.
Many Factors to Consider
Senior threat researchers and report authors Numaan Hug and Mayra Rosario Fuentes both believe that hospital cybersecurity may be lacking due to several reasons:
“It may be valuable to examine why hospitals would have poor cybersecurity. Some of the possible reasons put forward include the following:
- “The primary purpose of a healthcare facility is patient care and that is where the bulk of resources are invested, leaving only barebones budget available for cybersecurity spending.
- “Hospital computers and diagnostic equipment have many users, e.g., doctors, nurses, and technicians, who rotate regularly within the hospital. This makes incorporating strict cybersecurity policies and authentication procedures very difficult, especially if those policies impede daily operations.
- “Diagnostic equipment is extremely expensive and hospitals cannot afford to have their medical devices offline for prolonged periods for maintenance. In some cases, modifying medical device settings or updating their embedded OS will void the device’s certification, warranty, and insurance coverage, so medical devices remain untouched.
- “Expensive diagnostic equipment is not replaced regularly (or for decades) as long as they are functioning correctly. These devices and systems may no longer have support or would be costly to replace. Why replace something if it is not broken?
- “Diagnostic equipment manufacturers are responsible for ensuring their equipment meet the HITRUST CSF® guidelines for medical devices. Given the CSF is regularly updated, older medical devices that are still being used in hospitals may not meet the requirements.
- “Not all hospitals have a dedicated cybersecurity response team. In most hospitals, the IT staff does double duty: They investigate and mitigate cyberattack incidents, as well as provide general IT services to the hospital. This setup has the critical drawback of spreading resources thin for both functions.”
The risk of supply chains
The report also claimed that hospital supply chains are progressively exposing them to potential cyber-risk, with 30% of breaches reported publicly to the US Department of Health and Human Services (HHS) back in 2016 due to breaches of business associates as well as third party vendors.
“Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity,” explained Huq and Fuentes.
“Third-party vendors have credentials that include log-ins, passwords, and badge access which can be compromised. These vendors can also store physical records, medical devices, and office equipment. Hospitals need to be supplied by a robust supply chain to ensure uninterrupted service to patients, and thus protecting the hospital supply chain against cyber-attacks becomes a critical necessity.”
Keeping your business safe is imperative, regardless of industry. Our cybersecurity events, such as ECS, are here to connect your business to the right security vendor and to understand more about keeping your company safe in an ever changing world of digital. Get in touch to stay up to date on our upcoming events.