Vulnerable Medical IoT Devices: The Next Security Nightmare for Healthcare Sector

Cyberattacks against the healthcare industry are nothing new. While the sector continues to be a hotbed for cybercrime, the ongoing global pandemic has escalated the number of attacks.

In addition to insufficient regulations, lack of digital privacy among personnel, and the use of outdated software, the presence of many IoT devices makes healthcare organizations uniquely vulnerable. While medical devices need to connect to each other in a modern hospital system to operate effectively, they can also open up a new gateway for hackers when the system is implemented poorly.

Flaws continue to haunt IoT devices 

  • Despite the warning from the US National Security Agency (NSA) and the UK’s National Cyber Security Center (NCSC) in 2019, a new report from CyberMDX revealed that about 45% of connected medical devices are vulnerable to the infamous BlueKeep exploit.
  • The FDA warned of new cybersecurity vulnerabilities affecting Bluetooth Low Energy communications technology used in certain medical devices. Referred to as SweynTooth, the flaw can impact implanted devices such as glucose monitors, insulin pumps, pacemakers, and stimulators.
  • The flaw also affects larger devices in healthcare facilities like ultrasound devices.
  • Researchers discovered 19 vulnerabilities, called Ripple 20, affecting millions of IoT medical devices. These high-risk vulnerabilities can allow an attacker to perform a host of malicious activities such as stealing data, impacting the functionality of an infusion pump, or causing a device to malfunction. 
  • The Department of Homeland Security issued an alert for vulnerabilities found in six medical devices manufactured by Biotronik, Baxter and BD Alaris. These flaws can enable threat actors to launch DDoS attacks or alter system configurations or device data.

Security risks

These medical device vulnerabilities can be exploited by bad actors to attain their numerous malicious intents. Some of these impacts include:
  • Inflict treatment against patients by modifying or deleting PHI data;
  • Make devices unusable by taking control over them;
  • Connect to other devices or internal networks.

Bottom line

As the number of critical medical IoT devices continues to grow, attackers have more opportunities to accomplish their goals. Therefore, healthcare firms should prioritize and address vulnerabilities in devices that pose risk to the entire organization and for the safety of patients.