The Deloitte survey was conducted among 24 hospitals in nine countries in EMEA. It found that over half the hospitals surveyed used standard passwords (i.e. factory settings) to secure their equipment. Almost half the surveyed hospitals also did not know whether their equipment will comply with forthcoming privacy legislation (for example the EU General Data Protection Regulation, meant to replace current regulations starting 2018). Only a fifth stated that the majority of their devices use secure network connections to ensure data reliability and confidentiality.
Computer viruses and malware can compromise patients’ treatment and privacy. The survey revealed that three of the hospitals interviewed had experienced problems with malware during the previous year. “Trends in the USA involving ransomware and medical devices also show we need to remain continually alert,” says Jeroen Slobbe, Deloitte’s cybersecurity expert.
According to the Institute for Critical Infrastructure Technology IoT applications such as in hospitals are vulnerable to hacking, A possible scenario is the use of ransomware to extort hospitals and other medical institutions, threatening to shut down equipment such as pacemakers and insuline pumps unless a certain amount of money is paid.
No blind panic yet
Slobbe states that there is no reason for blind panic yet. Not using these connected medical devices represents a bigger risk to patient health than using equipment that contains vulnerabilities. But these vulnerabilities can be reduced, and with that the risks for patients.
If medical equipment’s cybersecurity is to improve, Deloitte believes it is important to make a designated individual responsible for the security of ICT and medical technology, based on an explicit policy for protecting these devices. Network segregation, monitoring and physical access controls can also improve equipment security, while privacy and security should be factored in to the design of new healthcare technology innovations from the start.