25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Riskiest Connected Medical Devices Revealed

Posted By on Apr 24, 2023

Through the Internet of Medical Things (IoMT), an array of medical devices have been connected to the Internet, allowing them to be operated, configured, and monitored remotely. These devices can transmit medical data across the Internet to clinicians allowing rapid action to be taken to adjust treatments and data collected from the devices can be automatically fed into electronic medical records. The use of IoMT devices is growing at an extraordinary rate, with the number of devices used by smart hospitals expected to double from 2021 levels to 7 million IoMT devices by 2026.

While Internet-connected medical devices offer important benefits, they also increase the attack surface considerably. Vulnerabilities in IoMT devices are constantly discovered that can potentially be exploited by malicious actors to gain access to the devices and the networks to which the devices connect. According to a 2022 report from the FBI, 53% of digital medical devices and other Internet-connected devices contain at least one unpatched critical vulnerability.

The asset visibility and security company Armis has recently conducted a comprehensive analysis of data collected from medical and IoT devices to identify the riskiest IoMT and IOT devices. The data came from more than 3 billion assets that are tracked through the Armis Asset Intelligence and Security Platform. The analysis revealed the riskiest connected medical devices were nurse call systems, 39% of which had unpatched critical vulnerabilities and 48% had other unpatched vulnerabilities. A critical vulnerability is a flaw that can be exploited in a direct or indirect attack by a malicious actor that will result in decisive or significant effects. If flaws in medical devices are exploited, hackers could gain access to the networks to which the devices connect, steal sensitive data, or alter the functionality of the devices themselves and put patient safety at risk.

Infusion pumps were the second riskiest connected medical device with 27% of analyzed devices having at least one unpatched critical flaw and 30% having other unpatched vulnerabilities, followed by medication dispensing systems with 4% containing unpatched critical flaws and an astonishing 86% having other unpatched vulnerabilities. Armis notes that 32% of the analyzed medication dispensing systems were running on unsupported Windows versions. Overall, across all connected medical devices, 19% were running on unsupported operating systems, as IoMT devices often have lifespans that exceed the lifespans of the operating systems on which they run.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

IoT devices can also introduce considerable risks and provide hackers with an easy opportunity to gain a foothold in healthcare networks. Armis monitors IP cameras in clinical environments and found that 56% have unpatched critical vulnerabilities and 59% had other unpatched vulnerabilities, which makes IP cameras the riskiest IOT devices, followed by printers (37%/30%) and VoIP devices (53%/2%).

Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” said Mohammad Waqas, Principal Solutions Architect for Healthcare at Armis. “Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”

The growing number of wireless, Internet- and network-connected devices and increasing cybersecurity threats targeting the healthcare sector prompted the U.S. Food and Drug Administration (FDA) to take action. Manufacturers of medical devices will soon be required to provide information about the cybersecurity of their devices in pre-market submissions as part of a drive to improve medical device cybersecurity. Those requirements include a software bill of materials to allow vulnerable components to be identified and patched, cybersecurity measures to secure the devices and sensitive data, and a plan to issue security updates for the lifespan of the devices.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist