HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months

A new study conducted by Medigate and CrowdStrike has highlighted the extent to which healthcare Internet of Things (IoT) devices are being targeted by threat actors and warns about the worrying state of IoT security in the healthcare industry.

The number of IoT devices being used in healthcare has increased significantly in recent years as connected health drives a revolution in care delivery. Healthcare providers are increasingly reliant on IoT devices to perform a range of essential functions, and while the devices offer huge clinical benefits, full consideration should be given to cybersecurity.

Cyber threat actors have disproportionately targeted healthcare organizations for many years due to the high value of healthcare data, the ease at which it can be monetized, and the relatively poor cybersecurity defenses in healthcare compared to other industry sectors. The rapid adoption of IoT devices has resulted in a major increase in the attack surface which gives cyber actors even more opportunities to conduct attacks. Further, IoT devices often have weaker cybersecurity controls than other devices and can provide an easy entry point into healthcare networks.

The study included a survey of healthcare organizations to determine what threats they have faced over the past 18 months. 82% of surveyed healthcare organizations said they have experienced at least one form of IoT cyberattack in the past 18 months, with 34% of respondents saying the attack involved ransomware. The situation is likely to get worse as the number of IoT devices in healthcare grows. According to the report, spending on connected medical devices has been predicted to increase at a CAGR of 29.5% through 2028.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

One of the main problems with securing IoT devices is a lack of visibility into all connected devices, which is especially poor in the healthcare industry. IoT security risks can be managed and reduced to a low and acceptable level, but if healthcare organizations do not have visibility into the IoT devices that connect to the network, essential security enforcement systems will not be able to perform at the required levels.

Healthcare organizations need to have a clear picture of the security posture of each device and be aware of network status, location, and device utilization. There could be 100 or more devices in use, so keeping track of those devices and the security status of each can be a major challenge and will only get worse as the number of devices increases.

The researchers make several recommendations about improving IoT security, including endpoint detection and response (EDR), orchestrated visibility, and network segmentation to allow attacks to be easily contained. It is also important to ensure insurance policies have sufficient coverage.

“HDOs must have an intimate understanding of their entire connected landscapes, otherwise, threat intelligence cannot be accurately processed or correlated to the right devices, and remediations will not deliver the desired impact,” explained the researchers. “Processes that continuously improve visibility and its orchestration, EDR, and containment capability must be in place, or these additional defense layers cannot perform at their highest intended levels.

In order to scale the delivery of connected health, the researchers say security and asset management practices must converge. The researchers recommend creating a common reference foundation, “not only to modernize existing infrastructure where possible but to ensure the performance of future investments in layered capabilities.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.