Intelligent Health.tech Issue 07 | Page 57

SECURITY

CYNERIO RESEARCH FINDS CRITICAL MEDICAL DEVICE RISKS IN NHS TRUSTS

Six years after WannaCry ransomware attacks disabled over 70,000 devices in NHS Trusts the UK is again facing a challenge in securing its medical technology . Traditionally conservative approaches to adopting connected devices are being challenged by rapid onboarding to meet the needs of healthcare facilities .

In its 2023 State of NHS Trust IoT Device Security Report , Cynerio found that cyberthreats to NHS Trusts stemming from Internet of Things ( IoT ) devices are likely to grow in the near future . Data shows that 46 % of medical devices analysed had at least one known risk with 11.7 % of devices having at least one critical risk .
Among the devices most impacted by critical risks are those closest to patients including devices focused on managing radiation doses , treating cardiovascular diseases and imaging patients . Further , due to the planned onboarding of additional devices in the near future , it ’ s likely that risks will quickly rise due to the increasingly connected deployments of those medical devices .
Additional report findings include :
» The average NHS Trust currently has over 2,500 connected devices : From telephones and printers to critical patient systems , there are typically thousands of devices – many of which are not properly patched , secured or blocked from unnecessary network communications .
» Many devices are unexpected with surprising origins : CT machines and lab equipment are expected devices within the walls of any healthcare facility . Unfortunately , numerous other devices find their way into environments .
» Common risks with known fixes are widespread : Attacks ranging from DNS poisoning to ransomware often stem from vulnerabilities with known fixes that simply have not been applied . Hundreds of devices containing vulnerabilities with names like DNSpooq , EternalDarkness and Ripple20 are unaddressed despite known fixes and enable common attacks like ransomware .
» Most NHS Trusts have a brief moment of opportunity : The rates of device risk identified in this study are currently below those in the original study . In fact , the rates of critical risk ( 11.7 %) are nearly five times lower than those found worldwide ( 53.0 %) while the number of devices benefitting from network-level security practices like segmentation ( 36.7 %) are nearly three times lower ( 92.0 %). Anecdotal evidence suggests this is due to the conservative adoption of connected devices with a rapid rise in risk as more devices are brought online .
“ The WannaCry attacks of 2017 were a wake-up call for not just the UK , but the entire world ,” said Chad Holmes , Security Evangelist , Cynerio . “ Fortunately for many patients in the UK , the immediate lessons learned resulted in a more conservative approach to connecting medical devices to the internet . Unfortunately , the lower number of risks faced due to this conservative approach is often underappreciated as projects onboard more devices .” �
www . intelligenthealth . tech 57