Armis identifies riskiest medical IoT devices

  • April 26, 2023
  • Steve Rogerson

Asset visibility and security company Armis has identified the top connected medical and IoT devices that are exposed to malicious activity in clinical environments.

Data analysed from the Armis Asset Intelligence & Security Platform, which tracks over three billion assets, found nurse call systems to be the riskiest IoMT device, followed by infusion pumps and medication dispensing systems.

When looking at IoT devices, IP cameras, printers and voice over internet protocol (VoIP) devices top the list.

By 2026 smart hospitals are expected to deploy over seven million IoMT devices, doubling the amount from 2021. Medical and non-medical devices are increasingly connected, automatically feeding patient data from monitoring devices into electronic records. These connections and communications within a medical environment help improve patient care but also make it increasingly vulnerable to cyber attacks, which could result in the interruption of patient care.

Upon an analysis of the data from all connected medical and IoT devices on the Armis Asset Intelligence & Security Platform, several conclusions were drawn:

  • Nurse call systems are the riskiest connected medical device, with 39% of them having critical severity unpatched common vulnerabilities and exposures (CVEs) and almost half (48%) having unpatched CVEs.
  • Infusion pumps are second, with 27% having critical severity unpatched CVEs and 30% having unpatched CVEs.
  • Medication dispensing systems are in third place, with 4% having critical severity unpatched CVEs, but 86% having unpatched CVEs. Moreover, 32% run on unsupported Windows versions.
  • Almost one in five (19%) connected medical devices are running unsupported OS versions.
  • More than half of IP cameras monitored in clinical environments have critical severity unpatched CVEs (56%) and unpatched CVEs (59%), making it the riskiest IoT device.
  • Printers are the second riskiest IoT device in clinical environments, with 37% having unpatched CVEs, and 30% having critical severity unpatched CVEs.
  • VoIP devices are in third place. Although 53% of them have unpatched CVEs, only 2% have critical severity unpatched CVEs.

“These numbers are a strong indicator of the challenges faced by healthcare organisations globally,” said Mohammad Waqas, principal architect for healthcare at Armis. “Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface. Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualised monitoring is a key element to ensuring patient safety.”

Armis secures medical assets and patient care environments in some of the largest healthcare delivery organisations around the world.

“Armis appeared to be a good alternative for us because it immediately provided us with visibility into what devices were plugging into the network,” said Brian Schultz, director of network operations and security at Burke Rehabilitation Hospital. “It shows us how they are interacting with each other, creates alerts based on observed behaviour and enforces firewall rules based on those alerts.”

Armis defined the riskiest device types by looking at all connected medical and IoT devices on the Armis Asset Intelligence & Security Platform and identifying which types have the highest percentage of devices with unpatched critical severity CVEs.

Armis is a privately held company and headquartered in California.