New research from Armis, an asset visibility and security company, has revealed that nurse call systems are the most at risk of malicious activity in clinical environments, followed by infusion pumps and medication dispensing systems.

According to a study last year from Juniper Research, smart hospitals are expected to deploy over seven million Internet of Medical Things (IoMT) devices, by 2026, doubling the amount available in 2021. While connected devices in a medical environment are improving patient care, the fact they are vulnerable to cyberattacks means there is the possibility that patient care could be interrupted.

Analysis of data from the Armis Asset Intelligence and Security Platform revealed:

  • Nurse call systems are the riskiest connected medical device, with 39% having critical severity unpatched Common Vulnerabilities and Exposures (CVEs), and 48% having unpatched CVEs.
  • 27% of infusion pumps have critical severity CVEs, and 30% have unpatched CVEs.
  • Although medication dispensing systems have critical severity unpatched CVEs in just 4% of devices, 86% have unpatched CVEs. In addition, 32% of them are running on unsupported OS versions.
  • 19% of connected medical devices are running unsupported OS versions.
  • 56% of IP cameras in clinical environments have critical severity unpatched CVEs, with 59% having unpatched CVEs.

Mohammad Waqas, principal solutions architect for healthcare at Armis, said: “These numbers are a strong indicator of the challenges faced by healthcare organisations globally.

“Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface.

“Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualised monitoring is a key element to ensuring patient safety.”

A number of cyber attacks have in the past severely affected NHS services – including 2022’s Advanced attack and the infamous 2017 WannaCry attack. This month a new Advisory Council formed of world leaders in cybersecurity has been formed, to help share insights and drive innovation to tackle the security challenges the healthcare sector is facing.