Medical devices in hospitals in England are vulnerable to hacker attacks
Cybersecurity experts call this situation a booby trap.
In hospitals in England, which are subordinate to the National Health Service (NHS), millions of medical devices have been exposed to the threat of ransomware and other types of malware. This applies to devices such as surveillance cameras and pressure measuring devices.
Hackers can use such devices as points of entry into key areas of hospital networks to paralyze their work and cause real technological chaos. In North America and other regions of the world, there have already been similar cases when cybersecurity specialists eliminated the consequences of similar attacks. Moreover, many of them occurred due to banal human inattention.
This is a real mined powder keg. The real scale of the threats was disclosed this week by an American cybersecurity company Armiswhich sent freedom of information requests (FOI) 150 hospitals NHS Trust in England.
Armis asked about how hospitals account for and manage their medical devices, such as laptops, computers, MRI and CT machines, drug distribution stations, pacemakers, connected inhalers, and pulse and pressure sensors.
Less than half of the hospitals (71) gave a detailed answer. However, what they reported was shocking: only one in five hospitals admitted to manually monitoring every medical device added to their network, and almost one in six hospital chains did not check their networks for cybersecurity issues at all.
Although this report focuses on the NHS, Armis believes that thousands of other healthcare facilities around the world are affected by the same problem.
In a ransomware attack, hackers usually want to steal company data or encrypt it and demand a ransom. In the case of healthcare, there is an additional risk that patients’ lives will be put at risk, both from interruptions caused by cyberattacks and network failures, and from attempts to hack medical devices that can cause them to malfunction.
“NHS hospitals are responsible for their cyber security and must maintain a registry of medical devices connected to the network, including information about the data security process. The NHS will continue to review the cybersecurity requirements associated with connected medical devices and take steps to improve them where necessary,” the NHS said.
In January of this year, the cybersecurity company Trend Micro interrogated 145 healthcare organizations around the world and found that more than half of them had suffered ransomware attacks in the past three years. And a quarter of those surveyed said that the attacks were so severe that they had to completely suspend their activities.
The last known large-scale ransomware attack on NHS trusts was the WannaCry attack in 2017. However, the prescription of what happened does not mean at all that the threat has passed.
“The reason we track laptops and computers well is because the IT department buys them and when we receive them we install security tools on them,” explained Mohammad Waqas, Chief Solutions Architect at Armis at the Infosecurity conference. Europe 2023.
“The IT team does not interact with medical devices. It’s the medical departments that buy and install them. But even if I know that this department has bought 10 CT machines or 10 ultrasound machines, I still can’t install my software to monitor them,” Vakas added.
Many medical devices use an operating system linux, however, none of these devices is a “computer” in the classical sense. However, precisely because they run on Linux, security cameras and wireless blood glucose meters, for example, are just as vulnerable to hackers as traditional computers.
Armis estimates that there are approximately 25,000 networked devices active daily in any hospital in the world. This means that there are a lot of potential entry points for cybercriminals.
Cybersecurity experts are calling on hospitals and medical device manufacturers to work with each other to ensure that their networks and patients are protected from cyberattacks. They also recommend the use of specialized solutions for detecting and preventing attacks on medical devices that do not require the installation of additional software on the most vulnerable equipment.
Experts believe that cybersecurity is a matter of life and death for public health, and it is necessary to act immediately to prevent possible catastrophic consequences.