information security company Cynerio conducted an analysis of the state of information security connected medical devices used in hospitals, encountering a rather worrying situation. In the document 2022 State of IoT Device Security in Healthcare Report indeed it appears that53% of internet-connected medical devices had at least one known vulnerabilitywhile approximately 33% had a security risk defined as “critical”. Cynerio’s analysis was conducted on a sample of 10 million medical devices distributed across more than 300 hospitals and clinics worldwide.
The report highlights how the ability of a hacker to gain access to such medical devices can impact the availability of the service supported by the device, the privacy of data collected by the device itself, and even security. of the patient who uses it.
For example, it appears from Cynerio’s account that Infusion pumps are the most common device affected by some type of vulnerability (in 73% of cases) and represent 38% of IoT medical devices present in the hospital. If a threat actor were to compromise an infusion pump, the direct consequences for patients could be particularly serious.
The disheartening aspect of this photograph is that a large portion of these vulnerabilities are due to fairly simple reasons, such as outdated or outdated software. For example, the report points out that most IoT medical devices were based on versions of Windows earlier than Windows 10. Or always protected by default passwords and which are the same throughout the organization, with risks of obvious security.
This scenario shows even more clearly why the healthcare sector has become particularly greedy for threat actors financially motivated: outdated and vulnerable medical systems are easy to compromise and, above all, directly endanger the health or life of human beings. A hospital cannot afford to interrupt or seriously compromise services closely related to patient care and this aspect represents a lever that threat actors use to pressure victims into complying with their demands.