News

Internet-Connected Medical Devices Expose Healthcare Systems to Cyberattacks, Study Shows

• By John K. Waters
• 10/14/2024

Healthcare organizations worldwide face growing security risks from widespread exposure of internet-connected medical devices and platforms, according to new research. A recently published report by cybersecurity firm Censys ("The Global State of Internet of Healthcare Things") Exposures on Public-Facing Networks") identifies more than 14,000 IP addresses that publicly expose critical healthcare systems, throwing a spotlight on vulnerabilities that could lead to unauthorized access, service disruptions, and data theft.

Healthcare remains the most targeted sector for cyberattacks, with breaches resulting in high financial losses and severe disruptions to patient care. Healthcare and the public health sector is the top target for ransomware attacks, according to the FBI’s 2023 Internet Crime Report. The Censys report emphasizes that exposure of systems like medical imaging platforms and electronic health records (EHRs) to the public internet could enable malicious actors to infiltrate sensitive data and cripple healthcare services.

According to Censys, the U.S. leads the world in healthcare system exposures, accounting for nearly half (6,884) of all public-facing hosts, followed by India (10.5%). The decentralized nature of healthcare infrastructure in both countries likely contributes to these high exposure levels. Conversely, the United Kingdom—known for its centralized National Health Service (NHS)—showed only 200 exposed systems, according to researchers.

The report identifies two major exposure types:

• DICOM Servers: 5,100 hosts expose DICOM systems, a legacy protocol used to transmit medical images. These servers often lack adequate access controls, making them susceptible to data tampering and malware injections.
• EMR/EHR Systems: 4,031 instances of publicly accessible login portals could provide attackers with access to patient data, including medical histories, Social Security numbers, and clinical results.

DICOM protocols—accounting for 36% of the exposures—pose particular risks due to outdated security standards. Researchers from Cylera previously demonstrated how malware could be hidden within DICOM files, complicating detection and potentially receiving inadvertent HIPAA protection. The persistence of these issues suggests that radiology practices prioritize accessibility over security, leaving critical systems exposed.

"It is important to note that our research focuses on exposures rather than vulnerabilities," said Censys security researcher Himaja Motheram in a blog post. "While an exposed device is not inherently vulnerable, its presence on the public internet increases the attack surface of any sensitive medical data it interfaces with and increases the potential for exploitation."

The report recalls February 2024’s ransomware attack on Change Healthcare, one of the largest healthcare payment processors. The ALPHV/BlackCat ransomware gang infiltrated the company’s systems, stealing 6TB of patient data and demanding $22 million in ransom. Although Change Healthcare paid the ransom, the stolen data still appeared on the dark web, crippling smaller clinics and delaying patient reimbursements.

"While data breach attack vectors vary, a recurring weakness that makes breaches more likely is the exposure of devices to the public internet when it’s unnecessary," Motheram noted, "especially those that protect sensitive health data. Systems like medical imaging devices and electronic health records, when exposed online without safeguards such as firewalls or VPNs, become much easier targets for attackers. Basic security lapses, including weak credentials, unencrypted connections, or misconfigured permissions, can easily lead to unauthorized access and exploitation."

Open-source solutions such as OHIF Viewer and Orthanc Explorer accounted for most of the exposed DICOM interfaces, often configured with default or weak settings, according to the report. Similarly, EHR platforms—including widely used systems like Epic—remain vulnerable. While designed for web access, poor security implementations leave these portals exposed to brute force attacks or credential theft.

The report found that many healthcare systems are hosted on major cloud providers, such as AWS and Microsoft Azure, but smaller clinics often rely on consumer-grade ISPs such as Comcast and Airtel. "The use of residential ISPs for hosting critical infrastructure instead of more secure enterprise or cloud networks raises questions about the level of security and IT infrastructure in these setups," the report noted.

Healthcare providers must implement stronger security protocols, including multi-factor authentication (MFA) and firewall protection for internet-facing systems. Given the increased targeting of healthcare data, organizations must continuously monitor and secure their external attack surfaces, the report urges.

With healthcare organizations under constant cyber pressure, experts warn that IoHT exposure is a ticking time bomb. "The stakes are not just financial," the report observes. "Lives depend on the integrity and security of healthcare systems. It is imperative that policymakers, providers, and vendors act swiftly to address these vulnerabilities."