In England's NHS Trust hospitals, millions of medical devices are now entirely vulnerable to ransomware attacks by cybercriminal groups.
These ostensibly safe online gadgets, such surveillance cameras and blood pressure monitors, are either unable to run security software or rely on outdated versions. They frequently receive no monitoring at all.
When hackers leapfrog from these devices into the key areas of hospital networks, they can bring down entire hospital systems and leave a path of technological carnage in their wake.
There have already been significant instances in North America and other parts of the world where security specialists were called in to deal with the fallout from these scenarios, some of which were the result of human error.
This is a ticking time bomb, and the actual magnitude of the threats was revealed earlier this week by Armis Security, a US cybersecurity firm that sent freedom of information (FOI) requests to 150 NHS Trusts in England.
Armis Security inquired about how hospitals catalogue and monitor their medical devices, namely laptops, desktop computers, MRI machines, CT scanners, drug distribution stations, pacemakers, linked inhalers, and heart-rate and blood-pressure monitors.
Only 71 NHS Trusts answered with data, but what they stated was eye-opening: one in five hospitals admitted to manually tracking each medical device added to their networks, and nearly one in six hospital networks are not checked for cybersecurity concerns at all.
While this report focuses on the NHS, Armis stated that it is pushing for international healthcare industry action because the problem is hurting hospitals all around the world.
Hackers usually want to steal data from businesses or encrypt it and demand a ransom payment. With healthcare, there is an additional risk that patients' lives would be impacted, both by interruption caused by cyberattacks and network failures, as well as by hacking attempts on medical devices, which may cause them to malfunction.
"NHS trusts are responsible for their own cybersecurity and must maintain a register of medical devices connected to their network, including information on their data security assurance process," said a spokesman for NHS England.“The NHS will continue to review the requirements for cybersecurity relating to connected medical devices and take action to make improvements where appropriate.”
Why should hospitals monitor all IoT devices?
Trend Micro, a global cybersecurity firm, interviewed 145 healthcare companies worldwide in January and discovered that more than half of them had been damaged by ransomware attacks in the previous three years. One-fourth of those surveyed stated the hacks were so severe that they had to suspend operations entirely.
In addition, the Ponemon Institute's 2022 study indicated that more than half of the 517 healthcare practitioners polled saw their institutions endure greater death rates as a result of cyberattacks.
The latest known large ransomware assault on the NHS was the WannaCry ransomware strikes in 2017. However, this does not mean that we are out of the woods.
"The reason we're good at tracking laptops and desktops is that the IT department buys them and, when we receive them, we install security tools," Mohammad Waqas, principal solutions architect at Armis, explained at Infosecurity Europe 2023.
“With medical devices, the IT team is not involved, it’s the medical departments buying and installing them. But even if I was aware this department bought 10 CT scanners or 10 ultrasound machines, I still can't install my traditional security [software] on the machines to track them.”
Many medical devices use an open-source Linux operating system, similar to Windows or Android OS on your computer or smartphone. None of these devices are "computers" in the classic sense, yet because they run Linux, CCTV cameras and wireless glucose monitors are just as vulnerable to hackers as traditional computers.
Armis estimates that 25,000 devices are active on any single hospital network around the world on a daily basis.