The Insecurity of Connected Devices in HealthCare 2022 report from Cynerio and The Ponemon Institute details some alarming trends for healthcare, including widespread and repeated attacks, financial losses measured in the millions, and frequent failures to take basic cybersecurity measures.

WHY IT MATTERS

The report surveyed experts in leadership positions at 517 healthcare systems throughout the United States and found that although healthcare internet of things/internet of medical things (IoT/IoMT) expand hospital attack surfaces, those devices are typically not protected. 

According to a joint statement from the researchers, 71% of survey respondents rated the security risks presented by IoT/IoMT devices as high or very high, while only 21% reported a mature stage of security to protect those devices. 

Of the 46% of those surveyed who performed well-known and accepted device security procedures, only 33% keep an inventory. 

Survey results also indicated that 47% of those hospitals and medical facilities experiencing an attack paid a ransom, with 32% of the ransoms ranging from $250,000 to $500,000. The report addresses a range of financial impacts, attack types and investments made in connected device and biometrics security.

THE LARGER TREND

From IV pumps to fetal monitors, ransomware and other cyberattacks can knock a hospital’s IT system offline, disrupting staff communications and compromising patient care with poor visibility into patient monitoring and health history. 

Several reports and federal analyses attempt to define the risks hospitals and their patients confront with rising cyberattacks that link to higher mortality rates. In one case before court in Mobile, Alabama, a mother alleges a 2019 ransomware attack on Springhill Medical Center compromised her planned cesarean section, resulting in the subsequent death of her infant some months later.

Threat actors continue to target hospital systems because they are perceived to have money and urgent settings that rely on information to make decisions with multiple access points, and hospital boards are motivated to fund cybersecurity measures. Implementing multilayered security approaches and redundancy is recommended to prevent disruption in hospital operations when an attack occurs. 

According to IT leaders previously interviewed about their cybersecurity investments, hospitals need tools to manage cyber environments, to detect and identify patch levels for all devices including biomedical devices, to report on information coming in and more surveillance. 

ON THE RECORD

"It’s clear that cyberattackers have increasingly focused their efforts on hospitals since 2020," said Chad Holmes, security evangelist at Cynerio. "What had been unclear was the frequency and resulting damage of their attacks."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.