Whether you refer to it as “MIoT” or “IoMT,” the medical side (the “M” there) of the ever-evolving Internet of Things is, for many folks, as fascinating as it is concerning, at times. On one hand, introducing smart-enabled technologies into the world of medicine has already been massively beneficial; one Grand View Research report estimated that the market size for healthcare IoT was valued at $252.1 billion last year (with a CAGR of 16.8% from 2023 to 2030). The number of people (and even animals, in terms of vet care) that are being helped – and the professionals that are doing the helping – is undeniable and merits recognition and further study.
So too, however, does the other hand of this discussion; the concerns. Developing real-time security measures that reliably protect patients, clinicians and devices is highly intricate. Safe, high-performance medical tech that is both accessible and guaranteed to be secure is the subject of many current discussions. Multiprotocol devices (e.g. from remote patient monitoring to connected inhalers, ingestible sensors, disease tracking and more) run the risk of being hacked by bad actors, and preventable faults during a manufacturing process can negatively impact those involved in patient health.
In these veins (multiple puns intended here, for levity’s sake), Asimily is a provider of IoMT cybersecurity solutions, and of a risk management platform tailored to the needs of smart healthcare. In its latest (and newly available) report that is titled “Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk,” Asimily focuses its angle on risk remediation technology and what healthcare organizations are up against in our digital-everything world.
The full report (available here) highlights cybersecurity challenges healthcare delivery organizations (HDOs) are facing and the “true costs” of their IoT/IoMT security risks:
- Emerging cybersecurity trends and challenges: Top cyber-attack strategies impacting HDO medical devices include ransomware attacks that spread to devices and disrupt services, third-party-introduced malware that hits device performance, and devices communicating with unknown IP addresses, thus resulting in remote breaches. Attacks on healthcare providers have become remarkably common, according to Asimily; the average HDO experienced 43 attacks in the last 12 months. Sadly, many of them were successful, with 44% of HDOs suffering a data breach caused by a third party since 2022.
- “The High Cost of Doing Nothing”: For HDOs, today’s high-failure status quo is a cold recipe for catastrophe. Cyberattacks cost HDOs an average of $10,100,000 per incident. Worse, cyber incidents are directly responsible for a 20% increase in patient mortality. 64% of HDOs also reported suffering from operational delays; 59% had longer patient stays due to cybersecurity incidents, for example. Such financial and operational issues are pushing HDOs to the brink. (i.e. the average hospital operating margin sits at 1.4% in 2023) Currently, more than 600 rural U.S. hospitals risk closure, and environments where a single attack could put smaller HDOs out of business are neither safe nor sustainable.
- Poor device health leads to poor outcomes. HDO security and IT teams face a high-risk environment where the average medical device has 6.2 vulnerabilities. More than 40% of medical devices are near end-of-life and poorly supported (or unsupported) by manufacturers, as well. Not good.
- Cybersecurity resources and staffing are limited. Even when critical device vulnerabilities are recognized, HDO security teams are able to fix only 5%-20% of known vulnerabilities each month. That, worded bluntly, is less than all of them; while no one expects perfection, healthcare demands must meet modernization before more individuals are found in harm’s way.
- Cyber insurance may no longer be enough: Ransomware attacks and breaches have skyrocketed in recent years, and cyber-liability insurers that only introduce coverage limits and capped payouts make it a less effective recourse for HDOs. At the same time, cyber insurance also still fails to address costly reputational damages an HDO suffers following a breach. That, too, can’t be overlooked.
Overall, Asimily points out how HDOs have a very low tolerance (i.e. myriad reasons) for service interruptions to life-saving, network-connected devices and equipment. Patient outcomes and quality of care must be upheld as times change and new tech holds the potential not just for improvements to healthcare, but also the portent of exploitations, operational or otherwise.
Edited by
Greg Tavarez
