71% of IoT medical device ransomware infections caused by user practice issues

While infusion pumps are the most widely deployed connected medical devices, they are not the leading cause of security alerts.
By Bill Siwicki
01:19 PM

Last month, SamSam, the latest ransomware attack, took down the entire municipality of Farmington, New Mexico, and two hospitals – Hancock Health and Adams Memorial. What’s more, Allscripts appears to have become the first EHR vendor brought down by ransomware, although officials have said the variant is slightly different than the strain impacting those other organizations.

Ransomware and other cyberattacks are unceasing. And one major attack surface that is particularly vulnerable to attacks is the Internet of Things and other medical devices in healthcare.

The most common types of Internet of Things medical devices security alerts originate from user practice issues, such as using embedded browsers on medical workstations to surf the web, conduct online chat or download content, accounting for 41 percent of all security alerts, according to a new study by ZingBox, an Internet of Things cybersecurity company.

[Also: Cybersecurity spending priorities not keeping pace with emerging tech]

Correlating the findings against notable cyberattacks in 2017, the study points out that 15 percent of the hospitals included in the study were infected by WannaCry, ransomware or similar attacks exploiting Windows SMB vulnerabilities, according to the “Medical Devices Threat Report” from ZingBox, which detected, identified and analyzed the behavior of medical devices deployed in more than 50 hospitals, clinics and other healthcare locations. Medical devices studied include infusion pumps, patient monitors, imaging systems and medical device gateways.

The top two device types infected by such attacks were imaging systems (65 percent) and nurse call systems (21 percent), the study found. User practices issues accounted for 71 percent of ransomware infections.

[Also: Michigan genomic research lab protects data with de-identifier, multilayer platform]

The study showed infusion pumps are the most widely deployed connected medical devices but are not the leading cause of device-oriented security alerts. The leading cause is imaging systems, which were the source for 45 percent of all security alerts, followed by patient monitors at 32 percent.

“It is interesting to point out that while infusion pumps make up nearly 50 percent of connected devices in hospitals, they don’t represent the largest cyberattack surface,” said Xu Zou, CEO and co-founder of ZingBox. “Security alerts relating to infusion pumps were only at 2 percent. However, attention to protecting these devices should still be a priority since a successful attack on a single infusion pump could result in disabling the bulk of all infusion pumps through lateral movement and infection.”

The remaining 21 percent of the device-oriented security alerts are distributed across other device types.

Additional findings from the study include: 51 percent of all reported user practice issues came from imaging devices; nearly 80 percent of the instances of outdated operating systems and software applications identified are from patient monitoring devices; and only 6 percent of healthcare sites infected by WannaCry were able to successfully apply patches.

“Understanding how vulnerabilities enter our networks is critical to protecting patient data and safety in healthcare settings,” Zou said. “As we continue to gain more knowledge about how attacks enter our systems, we can better arm our staff and networks to prevent these dangerous events.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.