From MediTechSafe's engagements with Health Systems
Healthcare organizations are increasingly connecting medical devices (Internet of Things devices) to Electronic Health/Medical Records (EHR/EMR) systems to improve employee productivity and patient care. The FBI, however, warned that these devices are being targeted by cybercriminals.
There are three potential scenarios:
Attackers exploit vulnerabilities of the medical devices to hack into hospitals’ enterprise networks.
Medical devices become candidates for infection if they have vulnerabilities matching malware’s target profile even if they weren’t targeted.
Medical devices are targeted for cyber terrorism, ransomware, or simply to gain access to Protected Health Information (PHI) on the devices.
In any scenario, malfunctioning of compromised medical devices could lead to patient safety risk or operational downtime concerns. Compromised medical devices pose patient data security risk as well.
Following discoveries were made concerning medical device cybersecurity from MediTechSafe’s various customer engagements:
Integrated Delivery Network (IDN) / Healthcare System
A reputed Health System in a metropolitan area had good coverage via its main campus and a network of multiple urgent care centers, an ambulatory surgery center, and primary care offices. They also had partnerships via which they managed departments in other health systems as well as an off-campus emergency care center.
It was discovered that 40% of network connectable medical devices across all sites were hackable. There were more hackable connected devices at the partner sites than the main campus, exposing risk to the overall Health System. Even urgent care centers and primary care offices had hackable devices. Overall, 54% of connectable medical devices at the off-campus sites were hackable. Partnered sites sometimes lack focus in absence of strong governance; they could, however, expose considerable amount of risk in connected healthcare.
This particular cardiac catheterization lab in a 150-bed hospital performed more than 1,000 procedures per year. Typical procedures included cardiac catheterization, pacemaker insertion, stress echocardiogram, etc. It was discovered that 72% of all connectable medical devices used in this cath lab were hackable.
In a different engagement, 71% of all connectable medical devices in a cardiac cath lab of a 600-bed hospital were discovered to be vulnerable.
Hospital Operating Room
This operating room in a 200-bed rural hospital performed various surgeries such as orthopedic, gynecologic, urologic, vascular, bariatric, etc. About 44% of connectable medical devices used in this operating room were hackable.
In a different engagement, 54% of connectable medical devices in an operating room of a large metro-based 600-bed hospital were discovered to be hackable.
Pediatric Emergency Department
This emergency department (ED) in a highly regarded children’s hospital has more than 90,000 patient visits annually. The MediTechSafe team discovered that 68% of the connectable devices in this ED were hackable.
Pediatric Surgery in Children's Hospital
This reputed children’s hospital performs many pediatric surgeries such as neonatal, interventional pain procedures, burn, chest wall disorder procedures, etc. They handle close to 36,000 surgery cases every year. It turned out that 43% of the network connectable devices used in the surgery rooms in this hospital were hackable.
Ambulatory Surgery Center
This freestanding ambulatory surgery center performs more than 1,000 orthopedic procedures annually including knee, shoulder, wrist arthroscopy, food and toe surgery, etc. While number of connectable medical devices was fewer than many other hospitals, the risk of an attack remained just as high as any hospital. It was discovered that 21% of the connectable medical devices were hackable.
As seen in the case of the IDN, the off-campus ambulatory surgery center that performed broad set of surgeries had more connectable medical devices and 40% of them were vulnerable.
Imaging Department / Center
These two imaging departments/centers in two different hospitals performed a total of 173,000 procedures annually ranging from CT scan, MRI scan, mammography, x- ray, ultrasounds, etc. One of the departments had 12% of all connectable medical devices hackable and the other one had 41%.
Physician's Office (Primary Care)
These seven physician’s offices (PCP) in a small city provided a variety of primary care services. They have a little over 15,000 patient visits annually. Some of the connectable medical devices in these physician’s offices include analyzers, vital monitor, ultrasound, etc. On average 17% of these devices were hackable; the range was from 14% to 33%. across the seven offices.
The types of devices PCPs have vary based on their specialties. As seen in the case of the metro area IDN, some of the PCP offices had up to 22% of connectable devices vulnerable whereas others had no hackable devices at the time. However, new vulnerabilities get discovered on regular basis which could concern the ones that had devices with no vulnerabilities at the time.
About 70% of medical decisions are based on lab results. This hospital-based lab performs close to 600,000 tests annually with a comprehensive testing menu. It was discovered that 14% of connectable medical devices in this lab were hackable.
A similar result was found in a 600-bed hospital, with about 24% of connectable devices being vulnerable.