K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18 5
2024, it has cost at least $ 2.3 billion in remediation and repair [ 24 ]. See Table 1 for more examples.
Historical medical device vulnerabilities
Individual healthcare devices have been reported as vulnerable to cyberattacks as well. These vulnerabilities could serve as gateways to larger networks, in addition to being devastating in their own right. One of the challenges innate to medical devices is the lack of basic securities such as encryption, which can drastically lower the battery life of many devices like pacemakers and insulin pumps. Pacemaker security has been the topic of discussion many times in the media, most notably when former Vice President Dick Cheney had his pacemaker modified after an issue was discovered that would have allowed a cybercriminal to modify the settings or deliver a fatal command remotely [ 27 ].
Abbot had a major recall on their St. Jude pacemakers in 2017 after realizing that it could be accessed and modified. In 2023, Medtronic had a major vulnerability reported in their PaceArt Optima system – now a part of PaceMate – where patient data could be exploited as it is compiled and managed. The system was also vulnerable to Denial-of-Service attacks that would slow the data transmission or render the connection unresponsive [ 29 ].
Medtronic also had a cybersecurity risk in 2022 for their insulin pumps MiniMed 670G, where they could be wirelessly taken over when pairing with other system components [ 30 ]. Infusion pumps such as Hospira Lifecare Drug infusion pumps and GE’ s Alaris Gateway Workstations were found to have weaknesses that would allow a cybercriminal to remotely make changes in medication dosing [ 7, 27 ]. The Aestiva and Aespire ventilators and anesthetic machines, also by GE, were similarly easily changeable when connected to an unsecured network [ 7 ].
Another major issue is devices with hardcoded passwords from the manufacturer. These passwords can sometimes be found in device manuals online, and when devices with vulnerabilities like these are accessible on a network, they are a liability. One example of this type of situation is blood refrigeration units, which could have the alarms disengaged and the temperature modified remotely in order to destroy products [ 27 ]. Magnetic resonance imaging equipment and computed tomography( CT) scanners have fallen under similar scrutiny, with concern that cybercriminals could remove the radiation exposure limiter from a CT even while a patient was being scanned [ 27 ]. Heating, ventilation, air conditioning, and electrical systems can be targets as well, impacting the physical environment in which staff work and patients are treated [ 3 ].
Healthcare specific vulnerabilities
Healthcare as a whole has a variety of weaknesses that make it difficult to defend. Physically, hospitals are built to help people. Anyone can walk in off the street and expect to be attended to in some way. If someone were to plan malicious cyber activities, it would not be difficult to situate themselves near equipment that has access to the larger hospital network while waiting for medical assistance [ 4 ].
From a cyber-perspective, hospitals have difficulty because networks in most hospitals were not built from the ground up with security in mind. Unless a hospital has invested significant funds in revamping its whole system, the network has been built in patches, branches, and add-ons over decades, making it difficult to understand and comprehensively cover. As an example, most hospitals have EMRs, but many also have separate databases and record-keeping services for individual departments or devices. Some of these services would have been slowly absorbed into a larger EMR, while others persist, often still linked to external companies. As an example, heart-lung machines may be linked to external perfusion record companies that may have vulnerabilities in their security and impact perfusionists regardless of what the hospital’ s internal IT team is prepared for. For perfusion as a whole, the aspect of IoMT cybersecurity that is of most concern comes from the many devices that we operate and the lack of investment in digital education regarding cybersecurity risks.
Financial barriers to hospital cybersecurity
Another major factor is the lack of funding that cybersecurity receives within a hospital or hospital system [ 1, 4, 7 ]. Hospitals generally run on a 1 – 3 % profit margin, which is significantly lower than the margins available to other businesses [ 8, 9 ]. Some of this low profitability is due to fixed insurance reimbursements, which cannot be easily changed to include a fee for future improvements to hospital information networks [ 4 ]. Add to this a shortage of IT security specialists [ 1, 4, 8, 10, 14, 17 ] and the fact that those specialists can usually make significantly more money working in the private sector, the result is a chronically understaffed and underfunded department doing its best to defend a piecemeal network against threats that the hospital itself may physically allow through its doors.
The breadth of the network, variety of devices connected, and age of individual devices are other issues hospitals face [ 31 ]. Medical devices need to be able to transfer data to and through many systems in the hospital, but often do not have proper security measures. Older and smaller devices often do not have the battery life or processing capacity to run encryption, digital forensics, malware detection, or threat modeling processes [ 3 ]. Some medical devices run off older and unsupported operating systems like Windows XP, which have known security flaws that can be exploited by cybercriminals [ 27 ].
These kinds of older, unsupported, and unpatched devices are often known as legacy devices. They are not removed from hospital systems because they perform critical functions, are too expensive to replace, or there is staff resistance due to workflow concerns or familiarity with the device [ 1, 4 ]. Frequently, for hospitals that use devices with old operating systems, such as Windows XP, the cause is that there is either no update available for an individual device, or a particular program can only run on older operating systems. Another reason is the financial burden, as the cost of upgrading systems may not be built into a hospital’ s budget. However, a serious risk to a hospital system comes with keeping legacy devices on the network [ 17 ]. It is easier for malware to avoid detection on a legacy device, and some cybercriminals will intentionally run old malware to target