BillionPhotos.com - Fotolia
Although infusion pumps are the most widely deployed connected medical devices, they are not the leading cause of security issues, a study of medical devices in more than 50 hospitals has shown.
Imaging systems rank number one as it is the source of cyber security risks, responsible for 51% of all security issues, according to the Medical Devices Threat Report by internet of things (IoT) security firm ZingBox.
Infusion pumps have regularly been highlighted as a significant risk in terms of cyber security, but there have also been warnings about imaging equipment.
At the 2017 annual meeting of the Radiological Society of North America, health IT and radiology expert Jim Whitfill raised a warning about the lack of awareness about medical device cyber security among many suppliers and healthcare providers, saying the industry was “woefully unprepared” to manage the risk, according to SearchHealthIT.
“It is interesting to point out that while infusion pumps make up nearly 50% of connected devices in hospitals, they don’t represent the largest cyber attack surface,” said Xu Zou, CEO and co-founder of ZingBox.
“Security issues relating to infusion pumps were only at 2%. However, attention to protecting these devices should still be a priority since a successful attack on a single infusion pump could result in disabling the bulk of all infusion pumps through lateral movement and infection,” he said.
ZingBox researchers detected, identified and analysed the behaviour of 10s of thousands of medical devices deployed in hospitals, clinics and other healthcare locations in a year-long study.
Read more about IoT security
- IoT security risks need immediate action, says report.
- Testing is key to IoT security, says researcher.
- Growth of the internet of things will be slowed or stunted if the industry fails to be proactive about data security, according to IoT Security Foundation.
- The influx of internet of things devices will inevitably bring security headaches. Don’t miss out on the opportunities of IoT, but learn how to avoid IoT security issues.
- The five key information security risks associated with the IoT that businesses can and should address.
According to ZingBox, the data provides an unprecedented view into the makeup of a connected healthcare ecosystem and the common vulnerabilities introduced by IoT medical devices.
“This report gives us a new, widescale view of connected healthcare devices and enables us to pinpoint not just where the vulnerabilities are, but what types of issues are triggering security issues,” said Zou.
“The report’s findings closely mirror what we have been hearing from our customers about incidents, risks and related challenges,” he said, adding that many organisations do not have a clear picture of the vulnerabilities on their networks or even what devices are connected on those networks.
Zou said the report should help organisations so shape their security efforts and prioritise the most critical risks based on concrete data.
The report reveals that the most common types of security risks were found to originate from user practice issues such as using embedded browsers on medical workstations to surf the web, conduct online chat or download content, which accounted for 41% of all security issues identified.
This was followed by outdated operating sytems or software such as the use of legacy Windows versions, obsolete applications and unpatched firmware. These issues account for 33% of all security risks found on connected medical devices, the report said.
According to the report, medical devices make up less than a quarter of all devices found in dedicated medical networks, while PCs make up 43% of devices in networks dedicated for medical devices.
Use of unauthorised applications (22%) and browsers (18%) make up the bulk of user practice issues and are the leading security issues for connected medical devices, the report said.
“This report, and the extensive analysis behind it, represents a pivotal step forward,” said Zou. “Understanding how vulnerabilities enter our networks is critical to protecting patient data and safety in healthcare settings.
“As we continue to gain more knowledge about how attacks enter our systems, we can better arm our staff and networks to prevent these dangerous events,” he said.
Inadequate regulations on security and privacy are at the heart of the problem, according to experts interviewed for the report, Internet of things: pinning down the IoT, sponsored by security firm F-Secure.