When Innovation Hurts: IoT Vulnerabilities in Healthcare

iot vulnerabilities in healthcare

Medical devices connected to the internet have made interaction between doctors and patients more convenient—but less secure. A study found that over half of IoT devices in hospitals are vulnerable. Sensitive patient information now sells for a lot of money on the dark web. So it’s no surprise that the healthcare industry remains the main target for cyberattacks year after year.


Today, for the creators of healthcare software solutions, making IoT cybersecurity a top priority is crucial. This article highlights the key IoT vulnerabilities in healthcare and tells you how to avoid them. Don’t miss the practical tips and advice at the end of the article.

Threat 1. The Growing Number of Medical Devices

The lower cost of sensors has made healthcare devices more accessible. High-speed internet access means they can connect to a single network. In addition, AI coupled with IoT has led to faster diagnosis and enhanced patient experience. Social distancing in the pandemic era also made smart medical devices handy. As a result, we have seen an increase in these kinds of solutions used within the hospital walls and beyond. Today, a 500-bed hospital can have 7,500 devices—most of them networked.

Data breaches, malware, and viruses are now common threats for medical devices. Nozomi Networks names the most hackable solutions, which include infusion pumps, implantable devices, and wireless vital monitors. Each compromised device poses a threat to the entire RPM system. It has many elements—from biometric and mobile devices to virtual servers. For example, a weak password on a device may open up access to the entire infrastructure containing sensitive patient data.

For effective IoT cybersecurity, it’s better to plan the protection of all endpoints from the ground. For example, make sure users are required to set strong passwords. Another working solution is to add multi-factor authentication.

Threat 2. Broad Use of Telehealth

Telehealth initially targeted remote rural communities, but it now offers a variety of apps for everyone. COVID-19 has played its role, too. Today’s patients can schedule online visits with gastroenterologists or cardiologists. They can ask for remote emerging care. What’s more, virtual care has evolved from one-on-one video conferencing to group sessions. Group psychotherapy is one example.

Telehealth may include the use of wearable devices, implantable sensors, and cloud databases. Each of these products needs robust IoT cybersecurity measures. For example, data from virtual consultations is stored in databases. If the database has security breaches, data leaks are possible. Data leaks may cause legal claims and reputation damage.

The lack of global efforts to regulate telehealth makes the situation more complicated. Today, the security of each app can differ from product to product. And if you don’t have enough resources for cybersecurity in IoT and nobody regulates it, cybercriminals can take advantage of this vulnerability.

Securing network connections is crucial for telehealth solutions. It would be sensible to add more than one type of verification. Security tokens and retina scans are some examples. As soon as data is stored in the cloud, strong configuration and multi-factor authentication for the cloud environment are essential.

Threat 3. Use of Legacy Systems

Legacy systems are one of the main cybersecurity challenges in using IoT in healthcare. According to Kaspersky, two-thirds of healthcare organizations use medical equipment with a legacy OS. For example, Windows XP or MS-DOS increase the number of security breaches several fold. Furthermore, legacy equipment may not receive OTA updates. This enables cybercriminals to obtain confidential data, even if a network is secure.

Meanwhile, the vulnerabilities of unsecured networks are nothing new. For example, a couple of years ago, there was a warning on the HL7 standards. These are common for the transfer of clinical and administrative data between software apps. They also often connect aging devices and systems in hospitals and are implemented in an insecure way. So the lack of encrypted and validated data transfer poses a threat to healthcare infrastructure.

What’s more, cybercriminals can find breaches in legacy systems to enable blackmail. The bulk of attacks targeting healthcare is ransomware. Ransomware blocks access to the device and requires a reward to restore it. There were several ransom attacks during the pandemic. Ryuk is currently the main ransomware threat attacking healthcare organizations. Its ransom amounts range between $100,000 and $500,000.

It makes sense to keep OS and mobile software updated to avoid such losses. Ensure there is regular bug fixing, and add extra security layers to broadband communications.

AI can analyze large volumes of data and identify security risks. Here are more uses of artificial intelligence in action.

Threat 4. Incorporation of Outdated Hardware

Outdated hardware brings more IoT vulnerabilities to healthcare. Manufacturers may focus on new models, forgetting to update old devices. But a solution without fresh patches and bug fixes is vulnerable. For example, an unpatched device can be compromised with malicious code. This places the entire infrastructure at risk. Injected microchips can create even more threats.

In fact, today’s healthcare organizations may have hardware that’s over 10 years old with components that are hard to replace. From a security perspective, companies should plan for the end of life of their assets. It’s crucial to make sure hardware vendors provide security patches and bug fixes as well as support devices. Otherwise, it’s impossible to comply with critical regulatory requirements, like HIPAA.

To avoid all of the above, consider your device’s long shelf life. Make sure it comes with the possibility to update configurations and security patches. For instance, the OTA mechanism can be convenient, as it can help you comply with changing regulations.

Threat 5. Medjacking of Medical Devices

Medjacking literally means the hijacking of a medical device. To steal confidential information, criminals implement malicious code and gain access. In a worst-case scenario, an attacker can own a device like an infusion pump that injects drugs into the patient’s bloodstream. Ultimately, medjacking puts lives at risk.

Medical devices are the weakest backdoor point of entry. Gaining access to a single device opens up access to an entire network of devices and equipment. These can vary from wireless blood pressure cuffs sending data into EHRs, to MRI machines and surgical robots.

In such cases, it’s important to properly secure each device. What we mean here is using up-to-date hardware and software, ensuring strong network connectivity, and detecting security risks with AI. It can be smart to combine more than one type of access verification—for networks and for user access. RFID tags with BLE beacons can also protect assets from theft.


6 Actions to Ensure Cybersecurity for IoT in Healthcare

For effective IoT cybersecurity, protect each endpoint within the hospital walls and beyond. These include devices, gateways, cloud connections, and user access points. You’ll need strong IoT services on board. Here’s your checklist of common actions.

Action 1. Build with security in mind and keep technology updated

Build with a security-first approach, putting cybersecurity at the center of each decision. This also means you ensure security from the ground up and watch for threats later. In particular, consider implementing proper protection at hardware level and adding firmware update mechanisms. Pay attention to regular checks for security patches and bug fixes.

Action 2. Protect the cloud environment

Encryption, strong configuration, and multi-factor authentication will be helpful here. But you can do more and shift data processing towards the edge. With edge computing, data can be processed locally or on the nearest server using AI algorithms. This leads to faster overall speed and better security. 5G makes all this possible. As a result, you’ll be able to filter sensitive data at the source and send less over the network to the cloud.

Action 3. Secure network connections

Connecting devices to the network with Wi-Fi or Bluetooth is convenient. However, it also creates vulnerabilities. To reduce risks, protect data exchange between patient and hospital software. You can create extra security layers for broadband communications and have more than one type of verification. Examples of verification methods include security tokens, retina scans, and fingerprints. You can also prevent users from creating hackable passwords on the tech side.

Action 4. Apply network segmentation

Network segmentation means dividing security perimeters into small zones. This ensures separate access to different parts of the network. If there is a breach, the hacker reaches an individual segment, not the whole network. The segmentation also allows you to split traffic into internal and external. As a result, criminals won’t access the sensitive data of authorized users.


Action 5. Deploy OTA updates

With the OTA mechanism, you can update apps, configurations, and security patches “over the air”—through mobile or cellular networks. This means medical devices can remain on the market longer than those that are impossible to update remotely. With OTA, it’s easy to keep firmware and software up-to-date and secure. It’s also a good opportunity to fix bugs. In addition, OTA updates help you comply with changing regulations.

Action 6. Use AI techniques

ML algorithms and data analysis techniques can help companies protect systems from cyberattacks. In practice, AI is able to analyze a vast amount of data and identify security risks. AI makes it possible to see malware threats and potential phishing attacks. Moreover, AI can help you discover and prioritize risks and respond to threats immediately. This process can be automated.


Cybercriminals use malware, ransomware, and phishing attacks to access sensitive medical data. Healthcare providers and IoT companies lose money and damage their reputations as a result. To avoid this, you should protect each endpoint within the hospital walls and beyond. Endpoints include devices, gateways, connections, and user access points. You may need an experienced provider to help with this—and Softeq can be your company of choice.