Half of internet-connected devices in hospitals are vulnerable to hacks, report finds

Over half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data, or the usability of a device at risk, according to a new report from the healthcare cybersecurity company Cynerio.

The report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform.

The most common type of internet-connected device in hospitals was an infusion pump. These devices can remotely connect to electronic medical records, pull the correct dosage of a medication or other fluid, and dispense it to the patient. Infusion pumps were also the devices most likely to have vulnerabilities that could be exploited by hackers, the report found — 73 percent had a vulnerability. Experts worry that hacks into devices like these, which are directly connected to patients, could be used to hurt or threaten to hurt people directly. Someone could theoretically access those systems and change the dosage of a medication, for example.

Other common internet-connected devices are patient monitors, which can track things like heart rate and breathing rate, and ultrasounds. Both of those types of devices were in the top 10 list in terms of numbers of vulnerabilities.

Health care organizations are now a major target for hackers, and while a direct attack on internet-connected medical devices doesn’t seem to have happened yet, experts think it’s a possibility. The more active threat is from groups that break into hospital systems through a vulnerable device and lock up the hospital’s digital networks — leaving doctors and nurses unable to access medical records, devices, and other digital tools — and demand a ransom to unlock them. These attacks have escalated over the past few years, and they slow down hospital functions to the extent that it can hurt patients.

Cynerio’s report notes that most of the vulnerabilities in medical devices are easily fixable: they’re due to weak or default passwords or a recall notice that the organization hasn’t acted on. Many healthcare organizations just don’t have the resources or personnel to keep systems up to date and might not know if there’s an update or alert concerning one of their devices.

But reports like this one, combined with the growing frequency of ransomware attacks, is pushing more health care organizations to invest in cybersecurity, experts say. “I think this is reaching a level of criticality that is getting the attention of CEOs and board rooms,” Ed Gaudet, CEO and founder at cybersecurity company Censinet, told The Verge this fall.