Medical IoT - Time to Step Up Cybersecurity Measures

Why it's important to invest in cybersecurity for medical devices



A new report from the Healthcare and Public Health Sector Coordinating Council (HSCC) has stated it is time to step up in the approach to securing medical devices. Cybersecurity has been ranked the number one priority investment across European healthcare providers.

Most common security risks were revealed by ClearWater CyberIntelligence Institute in healthcare:

  • User Authentication Deficiencies
  • Endpoint Leakage
  • Excessive User Permissions

These vulnerabilities account for 37% of all high-risk scenarios in the healthcare industry.

A major block to protecting medical devices is the lack of investment in cybersecurity. Decision-makers in organisations are often not cybersecurity experts, therefore they are unaware of the potential risks despite witnessing numerous sophisticated cybersecurity attacks such as WannaCry on the NHS in 2017, leaving the IoT healthcare market critically fragmented and exposed to potential risks. Hence, CIO's, CISO's and other organisation influencers have the responsibility to thoroughly explain the implications of inadequate cybersecurity.

Medical IoT such as pacemakers and drug infusion pumps (devices which are run by computers) are found to have major vulnerabilities that would allow an individual to take control in delivering an adverse amount of insulin to a patient or disrupting heart rhythms in a way that can harm someone or potentially be fatal.

These devices can create alarming situations and with a lack of resources, knowledge, and investment, organisations are becoming potential targets for dangerous cybercriminals. Medical devices store a compelling amount of private and confidential patient health information (PHI) which are seen as invaluable to hackers to sell on by just gaining access to one single device. Therefore, it is the utmost importance for an organisation to keep these types of information safe and secure.


According to the report, "The Medical Device and Health IT Joint Security Plan (JSP)" it states:

"Software-based medical technologies have the potential to positively impact patient care. However, as these products become more connected, product cybersecurity becomes increasingly important as there is the potential for patient harm and disruption of care if products or clinical operations become impacted because of a cybersecurity concern.”

Processes and protocols need to be intensified and expanded to ensure all minor and critical vulnerabilities are patched and the right steps are taken to safeguard patients and their confidential information by CIO's and CISO's. Healthcare providers willing to invest in IoT should also balance and be willing to invest in security measures and establishing a substantial framework of policies to manage potential risks. Security is usually an afterthought, therefore as the market grows in connected products, cybersecurity measures will need to be tightened and become a priority.

Counter measures and defenses are available with SSL247. Our CREST-accredited Penetration Testers aim to identify these defects before they turn into exploitable threats. Penetration testing allows you to determine the resistance of your computer system, network or organisation against real attacks. With different pentests available, SSL247 can determine the best solution to solve your problems and meet your needs.

Watch our live-hacking demonstration of medical IoT and counter measures on our YouTube channel performed by our Lead pentester, Loic Castel

Watch Now

For more information about Penetration Testing, simply get in touch with one of our friendly accredited consultants:

Share this:

Posted on Friday 03 January 2020 by Sayeeda Miah

Return to blog

Send us your comments


Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!