Will Recent IoMT Medical Device Concerns Make a Change in Healthcare in 2020?
According to a recent report conducted by TechCrunch, over one billion medical images from patients around the world, including CT scans, X-rays, and ultrasounds, are available online for download to anyone with “an internet connection and free-to-download software.” Although this number is substantial enough to get people talking, is it sufficient to change anything?
Over the last few years, more and more vulnerabilities have been found in the healthcare space, specifically in IoT medical devices. These vulnerabilities are extremely concerning to the healthcare industry as a whole, but minimal action seems to come as a result. 32% of healthcare leaders admit to never auditing their medical devices. At the same time, more than 50% of them report that “contending with fast-evolving cyber threats” is still the most significant challenge facing the industry. There seems to be a considerable disconnect between perceived threats and actions taken to combat these threats.
Even more alarming, the medical community has seen the amount of patient data exposed nearly tripled year-over-year, going from 15 million breached patient records in 2018 to over 40 million in 2019. Device manufacturers, hospitals, and regulators all acknowledge the problem, yet very few are investing and taking the necessary steps to improve their cybersecurity proactivity.
Last year, a joint research paper out of Vanderbilt and the University of Central Florida documented a 3.6 increase in cardiac event fatalities at hospitals that recently suffered cyberattacks. In other words, for every 30 cardiac event patients admitted, statistically, one would die in an impacted hospital that would have survived elsewhere. It’s clear what we need to do from here; we need to act now and use all available resources and instruments to compel others to act too.
Who’s at Risk?
The most recent vulnerability to medical device cybersecurity seen in 2020 thus far has been due to specific versions of Legacy Windows operating systems. A report was conducted by Forescout Device Cloud, which collected data from 75 healthcare deployments with more than 10,000 VLANs and 1.5 million devices. This report shows that of the systems running Windows (59% of organizations studied), 71% were running versions that expired on January 14, 2020. These operating systems include Windows 7, Windows 2008, and Windows Mobile.
The report noted that running an unsupported operating system poses a clear security risk that also impacts compliance with most regulations. Since updates are sometimes costly and complicated, networks will likely continue to have medical devices running on legacy operating systems. “It’s inevitable: The number of devices connected to healthcare networks will continue to rise, and the environment will become more complex. The time to begin developing and implementing proactive and enterprise-wide security and risk-management strategy is now”.
How to Fight Back?
The Forescout Device Cloud report offered four recommendations for securing medical devices and networks:
- Enable agentless discovery of all devices
- Identify and auto-classify devices
- Continuously monitor devices
- Enforce segmentation
There’s a solution available for healthcare organizations to properly secure their medical devices to ensure that they not only adhere to these recommendations but comply with cybersecurity regulations as well. This solution is Sensato’s Medical Device Cybersecurity Operations Platform (MD-COP), and it provides seamless integration among medical devices and networks, allowing healthcare organizations to comply, detect, and respond. With MD-COP, hospitals can rest assured knowing that their medical devices are entirely updated and patched, providing no risk of outdated software vulnerabilities such as specific versions of Microsoft Legacy operating systems.
With the combination of rapid advancements in medical device IoT technology and the lack of adaptation in healthcare organizations, it’s practically impossible for government agencies to consistently and effectively enforce medical device cybersecurity tactics. When hospitals are left on their own to locate and diffuse these consistent vulnerabilities in medical devices, it can become costly, complicated, and overwhelming. We strongly advise all healthcare organizations to allow Sensato MD-COP to take the weight off your shoulders and let our cybersecurity experts ensure your medical devices will not become the victim of a targeted cyberattack.
To learn more, please feel free to contact us.