Forescout today published the “Unveiling the Persistent Risks of Connected Medical Devices” report. Building on “The Riskiest Connected Devices in 2024” report from June, this research analyses more than 2 million devices across 45 healthcare delivery organisations (HDOs) during the last week of May 2024. The findings reveal a growing risk from connected medical devices, with the most vulnerable listed as Digital Imaging and Communications in Medicine (DICOM) workstations and Picture Archiving and Communication Systems (PACS), pump controllers and medical information systems.

Hacking remains the top cause of data breaches, with 595 hacking incidents reported to the U.S. Department of Health and Human Services in 2023, an average of 1.6 data breaches per day on healthcare institutions. The new Forescout Research – Vedere Labs research identifies 162 vulnerabilities affecting Internet of medical things (IoMT) devices. Most often, cybercriminal attacks on connected medical devices aim to steal sensitive patient data, including personally identifiable information and medical and treatment history. In worst case scenarios, attacks can disrupt healthcare operations and pose direct threats to patient safety.

“The increasing prevalence of IoMT devices has introduced new cybersecurity risks, and cybercriminals are taking advantage to exploit vulnerabilities for financial gain through ransom payments or the sale of patient data on the dark web,” said Barry Mainz, Forescout CEO. “These devices may be 10 years old or more and you can’t secure them the same way you would more modern devices. Once they’ve been deployed it’s very difficult to update or patch the software, and that’s why they continue to be a prime target for cybercriminals.”

Forescout research key findings include:

• The top 3 riskiest devices are critical to HDOs: DICOM workstations and PACS (32% critical unpatched vulnerabilities), pump controllers (26% critical unpatched vulnerabilities and 20% with extreme exploitability), and medical information systems (18% critical unpatched vulnerabilities) are the most at-risk medical devices and could lead to remote denial of service, information disclosure or remote code execution.
• Cybercriminals increase attacks against DICOM servers: Many organisations use unencrypted communications, allowing attackers to obtain or tamper with medical images from DICOMs, including to spread malware. From August 2022 to May 2024, exposed DICOM servers increased by 27.5%. From a honeypot running from May 2023 – May 2024, Forescout observed 1.6 million attacks on these servers, averaging one attack every 20 seconds. While most attacks are scans and automated attempts to exploit standard services such as HTTP, some aim to steal sensitive patient data.
• Windows systems are at risk: Half of the top 10 vulnerabilities are critical flaws in Windows systems that can lead to a full takeover of a device via remote code execution and could be exploited by malware if medical devices are online or connected to compromised networks.
• Devices lack anti-malware protection: Although 52% of IoMT devices are running Windows software, only 10% of all IoMT are actively running anti-malware. This is likely due to software and certification restrictions for embedded devices, making endpoint protection more challenging and highlighting the need for stronger network security.

“Healthcare organisations will continue to face challenges with medical devices using legacy or non-standard systems,” said Daniel dos Santos, Head of Security Research at Forescout Research – Vedere Labs. “A single weak point can open the door to sensitive patient data. That’s why identifying and classifying assets, mapping network flow of communications, segmenting networks, and continuous monitoring are essential to securing growing healthcare networks.”