Cyberattack threats rise amid medical device growth

As healthcare devices become ever more digitally connected and network capabilities expand with new technology, the threat of cyberattacks is rising.

That’s according to a recent survey on the medical internet of things (IoT) from Capterra, which underscored the risks to patient data and even patient care. The survey found that healthcare organizations with more connected devices––from glucose monitors, insulin pumps, defibrillators and much more––experience more cyberattacks. These devices may have unprotected security vulnerabilities that can be exploited by cyber criminals.

The findings come as the cost of cyberattacks has reached new heights. An IBM study from earlier this year found the average cost of a cyberattack is $10 million for a healthcare organization. Healthcare is among the most vulnerable industries for cyberattacks because of the vast amount of sensitive and personal information healthcare companies can hold. 

Medical practices with more than 70% of their devices connected are 24% more likely to experience  a cyberattack compared to practices with 50% or fewer connected devices, the survey found.

“As a healthcare organization connects more medical devices to its network, its attack surface expands,” Zach Capers, senior security analyst at Capterra, said in a statement. “Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it’s difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.”

Cyberattacks in the healthcare space can also have a devastating impact, halting providers in their tracks and impacting care. Almost half (48%) of healthcare cyberattacks impact patient care, according to the survey, and 67% impact patient data. Just 10% of attacks don’t impact either patient care or patient data. One recent example is the cyberattack of MercyOne Central Iowa, which was impacted by a cyberattack of its parent company, CommonSpirit Health, that took it offline for a period. 

The majority (75%) of medical practices have experienced a cyberattack and 41% have faced multiple attacks. 

A big vulnerability from medical IoT devices stems from not changing default passwords. Just 43% of practices said they always change the default passwords on connected devices, while 32% said they update them when a patch is available. Despite the higher risks, healthcare staff aren’t always up to date on the best practices to protect practices from an attack, such as changing passwords. 

“Rising risks to the healthcare sector, including sharp increases in ransomware, software supply chain attacks, and medical device vulnerabilities, mean healthcare IT staff are battling on multiple cybersecurity fronts,” the survey stated. “When asked their view on the healthcare sector’s current cybersecurity threat level, more than half of healthcare IT staff describe it as high or extreme.”

Another issue is outdated systems used by medical practices, as 82% of respondents said they run connected medical devices on outdated Microsoft systems. Updated systems may help healthcare organizations monitor the security of their connected medical devices.

Amy Baxter

Amy joined TriMed Media as a Senior Writer for HealthExec after covering home care for three years. When not writing about all things healthcare, she fulfills her lifelong dream of becoming a pirate by sailing in regattas and enjoying rum. Fun fact: she sailed 333 miles across Lake Michigan in the Chicago Yacht Club "Race to Mackinac."

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.