A hand writing on a whiteboard AI-generated content may be incorrect.

A U.S.-based mammography medical services provider suffered a significant data breach last week, compromising the personal information of more than 350,000 patients.

The attacker gained unauthorized access to an employee’s email account, exposing personally identifiable information (PII) and protected health information (PHI).

In another recent instance, two prominent healthcare organizations were targets of ransomware, resulting in data breaches that impacted over 100,000 individuals. Over 200 GB of compromised patient data was exfiltrated from one of their systems.

Last month, the AHA and Health-ISAC warned about the rising security threat to hospitals and healthcare organizations to prepare for potential attacks. The increasing reliance on connected medical devices has expanded the attack surface, raising concerns about protecting patient data and privacy. 

Legacy Medical Device Management Systems (MDMS) pose a serious risk due to outdated operating systems and a lack of access controls. These risks may be traced directly to manufacturers’ premarket, where device production and time-to-market are prioritized over security, leaving devices and patient data vulnerable once shipped.

Hospital Readiness and the Importance of a Cybersecurity Strategy

The healthcare industry doesn’t fare too well regarding security readiness. Research showed that 90% of healthcare organizations received an A or B in cybersecurity, with 8% receiving a score of “C” and 2% having “D” or “F” scores. Healthcare organizations with a “C” rating indicate a 5.4x greater likelihood of a breach, while an “F” rating increases that likelihood by 13.8x. This leaves the entire hospital ecosystem vulnerable to a wide range of targeted cyberattacks.

Medical devices are often catalysts for cyberattacks and breaches. Medical devices are inherently risky by design and frequently ship with outdated operating systems. Critical vulnerabilities and fundamental security flaws are often overlooked during the production lifecycle.

A study revealed that medical practices with more than 70% of their devices connected are 24% more likely to experience a cyberattack. The survey also found that 57% of healthcare IT staff said they do not change their devices’ default username and password. The data highlights security gaps that must be addressed, both by MDMs and IT, who are typically responsible for maintaining interconnected operations and safety.

Devices that aren’t encrypted or lack authentication protocols risk unauthorized access and many attacks. A malicious actor could clone the hospital’s Wi-Fi with an evil twin attack and intercept the patient’s real-time vitals.

For example, a physician relying on data from a glucose monitor connected over a poorly secured hospital network could unknowingly base critical decisions on tampered data. Administering an additional dosage of glucose may send a patient into hyperglycaemic shock or worse.

This places greater liability on the physician, their team, and the hospital, compromising PII and patient safety, and exposing the organization to malpractice lawsuits and severe compliance penalties issued by HIPAA and other regulated healthcare bodies.

Healthcare organizations face ongoing regulatory pressure to secure medical devices and hospital networks, specifically with newly enacted laws like the Healthcare Cybersecurity and Resiliency Act of 2024 and the HIPAA Security Rule, passed in January of this year. Medical Device Management Systems (MDMS) must also ensure that devices meet other healthcare ISO-specific regulations, such as ISO 7101 and ISO 45001.

These constraints leave MDMS manufacturers and healthcare providers in a bind.

Key Challenges Hospitals Face in Securing Medical Devices

Fragmented Systems and Legacy Infrastructure: A HIMSS survey found that 73% of healthcare providers use legacy operating systems. These outdated systems expose the entire network and attack surface to critical vulnerabilities, for which there might not be any vendor support or security patching. Fragmented IoMT devices create bottlenecks for system administrators as they are increasingly complex to track and manage. Healthcare providers must consider upgrading or consolidating security stacks. 

Limited Resources for Security: A survey found that only 14% of healthcare organizations say their IT security teams are fully staffed. Smaller healthcare institutions often leave themselves behind without the skilled personnel to continuously monitor threats or respond quickly to incidents. Not only does this create risks for MDMS connected to the hospital network, but it also renders access management a nightmare for IT.

Understaffed teams and limited resources also fuel existing IT and security staff burnout. According to a Gartner Peer Community survey of information security and IT leaders primarily responsible for cybersecurity, 62% said they’d experienced burnout at least once, and 44% reported several instances of burnout.

Vulnerability Exposure in Remote Monitoring Devices: Healthcare organizations cannot keep pace with the volume of IoMT devices being augmented across their interconnected networks. A third-party supplier with privileged network access might inadvertently introduce malware into a connected medical device and, by extension, become responsible for a breach. Access must be limited, and networks must be segmented to prevent such situations.

Best Practices for Enhancing Hospital Cybersecurity Readiness

  • Establishing a Comprehensive Cybersecurity Framework for Connected Medical Devices: Implement a comprehensive cybersecurity framework that includes all medical devices. This framework should integrate Medical Device Management Systems (MDMS) into the broader IT security strategy, ensuring real-time visibility, risk assessment, and compliance. Organizations can reduce cyber risk, improve patient safety, and meet regulatory requirements by aligning device security with hospital-wide policies.
  • Develop an Incident Response Plan: Hospitals and other healthcare facilities must have a detailed incident response plan. A playbook should be drawn up with the following considerations: EOL device handling, locking mechanisms for devices that require human input to operate, and network segmentation to minimize the external attack surface further. 
  • Invest in Technical Staff Training and Security Awareness Programs: A survey found that only 4% of respondents said no cybersecurity awareness training was provided to the workforce, despite being a requirement of the new HIPAA Security Rule. When asked to evaluate the effectiveness of their current security awareness training programs, only 18% considered them to be highly effective.

Security awareness training is essential. Hospitals must invest heavily in staff training for those who manage MDMS and other critical healthcare technologies. Run routine exercise to demonstrate its effectiveness. 

These are a handful of best practices every healthcare organization can implement to build a more resilient cybersecurity program for Medical Device Management Systems and the IoMT ecosystem.

How C2A Security Can Strengthen Hospital Cybersecurity and MDMS Readiness

C2A Security supports healthcare organizations and MDMs in achieving cybersecurity readiness through in several areas:

Real-Time Threat Monitoring and Incident Response: Providing real-time monitoring, threat identification, and quick incident response to mitigate potential damage. EVSec integrates seamlessly with MDMS to offer holistic protection across medical devices and hospital IT systems.

End-to-End Premarket and Postmarket Solution: EVSec provides a comprehensive solution, integrating security from the earliest development stages in the product lifecycle to postmarket monitoring.

Automated Device Management and Patching: Automating patch management for medical devices, ensuring that critical vulnerabilities are addressed proactively rather than reactively. This is crucial in preventing cyberattacks targeting outdated software and legacy infrastructure.

Healthcare-Specific Compliance and Regulatory Assistance: Ensuring that hospitals meet the latest regulatory requirements, including mandatory reporting of vulnerabilities. Additionally, EVSec helps ensure that MDMS and connected devices comply with industry-specific healthcare regulatory standards, such as FDA, HIPAA, and the Healthcare Cybersecurity and Resilience Act.

Enhancing Supply Chain Security: Hospitals rely on vendors for critical services and devices to manage third-party devices and software integrated into their medical ecosystems. EVSec also provides hospitals with Automated BOM Validation and management for internal teams and external suppliers.

Schedule a demo to learn how C2A Security can help strengthen cybersecurity readiness in your healthcare organization.