Poor User Practice at the Root of Most Medical Device Security Risks

A wide range of medical devices, from infusion pumps and patient monitors to imaging systems and medical device gateways, are vulnerable to hacking – largely thanks to users themselves. Use of unauthorized applications (22%) and browsers (18%) make up the bulk of user practice issues and are the leading security issues for connected medical devices.

According to internet-of-things security solution ZingBox's Medical Devices Threat Report, which analyzed medical devices across 50 hospitals, clinics and other healthcare locations, poor practices such as using embedded browsers on medical workstations to surf the web, conduct online chats or download content account for 41% of all security issues.

This was followed by outdated OS or software, such as the use of legacy Windows OS, obsolete applications and unpatched firmware. These issues account for one-third (33%) of all security risks found on connected medical devices.

“This groundbreaking report gives us a new, widescale view of connected healthcare devices and enables us to pinpoint not just where the vulnerabilities are but [also] what types of issues are triggering security issues. The report’s findings closely mirror what we have been hearing from our customers about incidents, risks and related challenges,” said Xu Zou, CEO and co-founder, ZingBox. “Many organizations don’t have a clear picture of the vulnerabilities on their networks – or even what devices are connected on those networks. The insights in this report will help them shape their security efforts and prioritize the most critical risks based on concrete data not previously available.”

The report showed infusion pumps are the most widely deployed connected medical devices but are not the leading cause of security issues. Imaging systems ranked as the number-one source for 51% of all security issues.

“It is interesting to point out that while infusion pumps make up nearly 50% of connected devices in hospitals, they don’t represent the largest cyber-attack surface,” added Zou. “Security issues relating to infusion pumps were only at 2%. However, attention to protecting these devices should still be a priority since a successful attack on a single infusion pump could result in disabling the bulk of all infusion pumps through lateral movement and infection.”

Overall, medical devices make up less than a quarter of all devices found in dedicated medical networks; 43% of devices in networks dedicated for medical devices consist of PCs.

“This report, and the extensive analysis behind it, represents a pivotal step forward. Understanding how vulnerabilities enter our networks is critical to protecting patient data and safety in healthcare settings,” said Zou. “As we continue to gain more knowledge about how attacks enter our systems, we can better arm our staff and networks to prevent these dangerous events.”

What’s Hot on Infosecurity Magazine?