At any one time the world’s connected hospitals could be running as many as 80,000 exposed devices, putting hospital operations, data privacy and patient health at risk, according to Trend Micro.
The security giant’s latest report, Securing Connected Hospitals, claimed medical devices, databases, digital imaging systems, admin consoles, protocols, industrial controllers and systems software have significantly increased the average provider’s attack surface.
This puts them at risk of DDoS, ransomware attack and data theft. The report used the DREAD threat assessment model to find that DDoS is actually the biggest risk, followed by ransomware.
The latter has impacted hospitals worldwide, particularly NHS Trusts, which were severely affected by the WannaCry attack of 2017.
Senior threat researchers and report authors Numaan Huq and Mayra Rosario Fuentes claimed that hospital cybersecurity may be lacking because of several reasons.
These include: a lack of dedicated IT security staff, limited budget, diagnostic equipment which is outdated, and can’t be taken offline to patch and large numbers of mobile workers who need seamless access to systems.
The report also claimed that hospital supply chains are increasingly opening them up to cyber-risk, with 30% of breaches publicly reported to the US Department of Health and Human Services (HHS) in 2016 due to breaches of business associates and third-party vendors.
“Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity,” explained Huq and Fuentes.
“Third-party vendors have credentials that include log-ins, passwords, and badge access which can be compromised. These vendors can also store physical records, medical devices, and office equipment. Hospitals need to be supplied by a robust supply chain to ensure uninterrupted service to patients, and thus protecting the hospital supply chain against cyber-attacks becomes a critical necessity.”