nurse at computer

The healthcare sector is increasingly vulnerable to risk of cyber crime due to unpatched medical devices that run on outdated software and devices without adequate security features, according to a report from the Federal Bureau of Investigation’s cyber division. 

Medical devices, when in use, have an average of six cybersecurity vulnerabilities, putting users, their systems and patients at risk of attack, including data theft, according to a report from the agency’s cyber division, the report said.

As of January 2022 53% of connected medical devices and other internet of things (IoT) devices used by hospitals had known critical vulnerabilities, the FBI reported last week. “Approximately one third of healthcare IoT devices have an identified critical risk potentially implicating technical operation and functions of medical devices,” it wrote in a notification to private industry.

Common devices that are at risk of cyber attack include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, according to the notification. Although recalls have been issued for many devices such as pacemakers and insulin pumps that have known security issues, “more than 40% of medical devices at the end-of-life stage offer little to no security patches or upgrades,” it reported.

“Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health,” the agency said.

New tech raises risk

Meanwhile, clinicians who work with patients in long-term care facilities should be especially aware of the potential for data theft and privacy breaches, an expert cautions.

Long-term care facilities have become more vulnerable to security breaches due to the expanding adoption of IoT devices such as remote patient monitoring, according to Sam Heiney, VP-product at Impero Software, which provides remote access solutions and IoT software to healthcare and other industries.

“This unprecedented level of connection can be a double-edged sword if not implemented thoughtfully,” he told McKnight’s Clinical Daily. “Every newly connected device can also be a threat vector, providing an entryway for malicious hackers seeking the treasure trove of personally identifiable information found in abundance in healthcare facility systems.”

Older adults are known targets for phishing scams, and a version of cyber theft called ghosting, when a recently deceased person’s data is stolen for financial gain. Identifiable inside information about a senior and their health conditions or status can be used against them, Heiney said.

Privacy and trust

For clinicians and facility operators, cybersecurity problems are linked to HIPAA privacy compliance and patient trust, Heiney said. Although medical devices don’t often store any patient information directly, they may be the “weakest link” in a facility’s cyber defenses, he said. 

“This makes them appealing as back doors through which hackers can jump into the systems that do contain the information they’re after. Clinicians should understand this vulnerability and take to heart the cybersecurity training they are, hopefully, receiving,” he said.

Clinicians’ role

Decisions to update and replace medical devices to plug holes in security are typically  management’s concern, but clinicians have a role to play in reassuring their patients that their data is safe, he added.

“HIPAA violations can be costly, but a major breach also has a cost when it comes to patient trust,” he said. “[C]linicians should be prepared to address any concerns that a patient or their family may have about their privacy, and be able to offer confident assurances that their information is as safe as can be.” 

Related articles:

Assisted living provider among victims in latest ransomware attacks, HHS warns

Massive cyberattack leads to class action suit against provider chain Avamere

Hacking and other healthcare breaches have exposed data of 20M patients in early 2022

Ransomware ‘bull’s eye’ grows, clouding telehealth’s rise in long-term care