Report identifies rising risks and proactive security opportunities as onboarding of IoT devices becomes a priority
Six years after WannaCry ransomware attacks disabled over 70,000 devices in NHS Trusts, the United Kingdom is again facing a challenge in securing their medical technology. Traditionally conservative approaches to adopting connected devices are being challenged by rapid onboarding to meet the needs of healthcare facilities.
In its 2023 State of NHS Trust IoT Device Security Report, Cynerio found that cyber threats to NHS Trusts stemming from Internet of Things (IoT) devices is likely to grow in the near future. Data shows that 46% of medical devices analysed had at least one known risk with 11.7% of devices having at least one critical risk. Among the devices most impacted by critical risks are those closest to patients including devices focused on managing radiation doses, treating cardiovascular diseases and imaging patients. Further, due to planned onboarding of additional devices in the near future, it’s likely that risks will quickly rise due to the increasingly connected deployments of those medical devices.
Additional report findings include:
- The average NHS Trust currently has over 2,500 connected devices:
From telephones and printers to critical patient systems including infusion pumps and patient monitors, there are typically thousands of devices – many of which are not properly patched, secured or blocked from unnecessary network communications. - Many devices are unexpected with surprising origins:
CT machines and lab equipment are expected devices within the walls of any healthcare facility. Unfortunately, numerous other devices find their way into environments. Consumer electronics from manufacturers like Amazon (Alexa, Kindle, Tablets), Sony (Smart TVs, Playstations) and even Tesla are routinely found communicating on NHS Trust networks. - Common risks with known fixes are widespread:
Attacks ranging from DNS Poisoning to Ransomware often stem from vulnerabilities with known fixes that simply have not been applied. Hundreds of devices containing vulnerabilities with names like DNSpooq, EternalDarkness and Ripple20 are unaddressed despite known fixes and enable common attacks like ransomware. - Most NHS Trusts have a brief moment of opportunity:
The rates of device risk identified in this study are currently below those in the original study. In fact, the rates of critical risk (11.7%) are nearly five times lower than those found worldwide (53.0%) while the number of devices benefitting from network-level security practices like segmentation (36.7%) are nearly three times lower (92.0%). Anecdotal evidence suggests this is due to conservative adoption of connected devices with a rapid rise in risk as more devices are brought online.
“The WannaCry attacks of 2017 were a wake up call for not just the UK, but the entire world” said Chad Holmes, Cynerio’s Security Evangelist. “Fortunately for many patients in the UK, the immediate lessons learned resulted in a more conservative approach to connecting medical devices to the internet. Unfortunately, the lower number of risks faced due to this conservative approach is often underappreciated as projects onboard more devices.”
Holmes further warns hospitals worldwide, “The United States and Ireland are perfect examples of what happens when devices are connected without fully considering the risks present. In 2021, Ireland’s Health Service Executive experienced widespread outages for five months across 40 hospitals with a total estimated recovery cost of over half a billion euros. The numbers are equally staggering in the US where hundreds of successful ransomware attacks on healthcare occur annually with estimated recovery costs often measured in tens of millions of dollars.”
For additional data and analysis, download a full version of the 2023 State of NHS Trust IoT Device Security Report and access the Cynerio and ITHealth recorded webinar which took place on March 29th and which discussed the report’s key findings and implications for healthcare IoT security in the UK going forward.
About Cynerio
Cynerio has one simple goal – to secure every IoT, IoMT, OT and IT device in healthcare environments. Our dedicated focus on the healthcare industry has led to the creation of technologies that help in preventing and responding to attacks. With capabilities ranging from microsegmentation and improved device insight to identifying exposed ePHI and stopping ransomware, Cynerio provides the technology and expertise needed to protect hospitals from a variety of cyberattacks. Learn more about Cynerio at cynerio.com or follow us on Twitter @cynerio and LinkedIn.
About ITHealth
ITHealth provides proven and trusted cybersecurity and access management solutions to NHS organisations. Our aim is threefold: to protect the availability, confidentiality and integrity of vital NHS systems and data, to protect staff, and to protect an NHS organisation’s reputation. By doing so, we ultimately protect patient care. Having been established for over 30 years and with the NHS as our sole focus, it gives us an unrivalled and genuine understanding of NHS IT issues and infrastructures and uniquely places us to help address even the most complex of NHS cyber challenges. https://www.ithealth.co.uk Follow on Twitter @ITHealthUK and LinkedIn.