CYNERIO RESEARCH FINDS CRITICAL MEDICAL DEVICE RISKS IN NHS TRUSTS
Six years after WannaCry ransomware attacks disabled over 70,000 devices in NHS Trusts the UK is again facing a challenge in securing its medical technology . Traditionally conservative approaches to adopting connected devices are being challenged by rapid onboarding to meet the needs of healthcare facilities .
In its 2023 State of NHS Trust IoT Device Security Report , Cynerio found that cyberthreats to NHS Trusts stemming from Internet of Things ( IoT ) devices are likely to grow in the near future . Data shows that 46 % of medical devices analysed had at least one known risk with 11.7 % of devices having at least one critical risk .
Among the devices most impacted by critical risks are those closest to patients including devices focused on managing radiation doses , treating cardiovascular diseases and imaging patients . Further , due to the planned onboarding of additional devices in the near future , it ’ s likely that risks will quickly rise due to the increasingly connected deployments of those medical devices .
Additional report findings include :
» The average NHS Trust currently has over 2,500 connected devices : From telephones and printers to critical patient systems , there are typically thousands of devices – many of which are not properly patched , secured or blocked from unnecessary network communications .
» Many devices are unexpected with surprising origins : CT machines and lab equipment are expected devices within the walls of any healthcare facility . Unfortunately , numerous other devices find their way into environments .
» Common risks with known fixes are widespread : Attacks ranging from DNS poisoning to ransomware often stem from vulnerabilities with known fixes that simply have not been applied . Hundreds of devices containing vulnerabilities with names like DNSpooq , EternalDarkness and Ripple20 are unaddressed despite known fixes and enable common attacks like ransomware .
» Most NHS Trusts have a brief moment of opportunity : The rates of device risk identified in this study are currently below those in the original study . In fact , the rates of critical risk ( 11.7 %) are nearly five times lower than those found worldwide ( 53.0 %) while the number of devices benefitting from network-level security practices like segmentation ( 36.7 %) are nearly three times lower ( 92.0 %). Anecdotal evidence suggests this is due to the conservative adoption of connected devices with a rapid rise in risk as more devices are brought online .
“ The WannaCry attacks of 2017 were a wake-up call for not just the UK , but the entire world ,” said Chad Holmes , Security Evangelist , Cynerio . “ Fortunately for many patients in the UK , the immediate lessons learned resulted in a more conservative approach to connecting medical devices to the internet . Unfortunately , the lower number of risks faced due to this conservative approach is often underappreciated as projects onboard more devices .” �
www . intelligenthealth . tech 57