Cybersecurity Report Finds ‘Healthcare Industry in Turmoil’

Researchers say hospitals rarely address the cyber threats to patient health.

A Feb. 23 report outlined a series of glaring hacking vulnerabilities in the healthcare industry and found critical security issues that could threaten patient health.

For the report, Independent Security Evaluators conducted a hands-on analysis of 12 healthcare facilities, two healthcare data facilities, two medical devices and two web applications over two years using a patient health-focused attack model.

Researchers found that remote adversaries like hackers “can easily deploy attacks that target and compromise patient health.” Campus Safety has already reported on incidents where hospitals were the victim of ransomware and medical devices were hacked.

The report identified several industry pitfalls and shortcomings, including lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership and a misguided reliance on compliance.

“One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective,” the report states.

RELATED: How to Confront the Cybersecurity Challenge

The report also found that the cyber security measures hospitals use often only address unsophisticated adversaries and ignore motivations and strategies that would be used to target specific patients by actors like terrorists, organized crime groups and even countries.

To test the industry’s security, the researcher used different “attack anatomies”  including (1) external attacks to manipulate active medical devices (2)lobby attacks to manipulate medicines/bloodwork workflows (3)electronic health record (HER) system compromise to issue improper treatment and (4) USB stick used to gain network foothold and manipulate medicine distribution, among many other techniques.

Some of these vulnerabilities were the result of a lack of funding and training, while others were due to technical problems like vulnerable network designs. In many cases, the network’s security installations were inappropriate for hospitals or deployed incorrectly.

To illustrate the threats to patient health, the researchers developed the Patient Health Attack Model, which identifies three “attack surfaces” that have direct consequences for patient health. The surfaces are listed below.

Primary attack surfaces:

  • Clinicians
  • Medicine
  • Active Medical Devices (AMD)
  • Surgery

Secondary Attack Surfaces

  • Patient Samples
  • Passive Medical Devices (PMD)
  • Electronic Health Records (EHR)
  • Test Results
  • Work Orders
  • Connected Power
  • Schedules
  • Inventory Systems
  • Sanitary Conditions
  • Procedure Precision
  • Time

Tertiary Attack Surfaces

  • Inventory Systems
  • Climate Controls
  • Environmental Controls
  • Physical Storage
  • Physical Transport
  • Barcode Scanners/ Printers
  • Connected Power
  • Laboratory Equipment
  • Clinicians

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Zach Winn is a journalist living in the Boston area. He was previously a reporter for Wicked Local and graduated from Keene State College in 2014, earning a Bachelor’s Degree in journalism and minoring in political science.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo