Scary numbers out of the US show hospitals are wide open to cyberattacks including ones using medical devices impacting patient health.
Cyber-physical systems protection company Claroty has released a new report which exposes four major vulnerabilities common in hospital networks and organisations, including Australian ones.
Presenting at the gigantic HIMSS24 conference in Orlando, Florida this week, Claroty’s research team offered up its State of CPS Security Report.
The US Cybersecurity and Infrastructure Security Agency maintains a catalogue of “known exploited vulnerabilities” (KEVs) to help organisations stay ahead of breaches and hacks.
The Claroty report found that 63% of CISA-tracked KEVs were present on hospital networks, and that 23% of medical devices — including imaging devices, clinical IoT devices (nonstandard computing hardware such as sensors, actuators or appliances that connect wirelessly to a network and can transmit data), and surgery devices — have at least one KEV.
Key findings from the report include the four major vulnerabilities present in hospitals’ online networks.
Guest network exposure: 22% of hospitals have connected devices that bridge guest networks—which provide patients and visitors with WiFi access—and internal networks. This creates a dangerous attack vector, as an attacker can quickly find and target assets on the public WiFi, and leverage that access as a bridge to the internal networks where patient care devices reside. A shocking 4% of surgical devices—critical equipment that if they fail could negatively impact patient care—communicate on guest networks.
Unsupported or end-of-life operating systems: 14% of connected medical devices are running on unsupported or end-of-life OSs. Of the unsupported devices, 32% are imaging devices, including x-ray and MRI systems, and 7% are surgical devices.
High probability of exploitation: The report examined devices with high “exploit prediction scoring system (EPSS) scores, which represent the probability that a software vulnerability will be exploited in the wild on a scale of 0-100. Analysis showed that 11% of patient devices, such as infusion pumps, and 10% of surgical devices contain vulnerabilities with high EPSS scores. When looking at devices with unsupported OSs, 85% of surgical devices in that category have high EPSS scores.
Remotely accessible devices: Those with a high consequence of failure, including defibrillators, robotic surgery systems, and defibrillator gateways, are among this group – 66% of imaging devices, 54% of surgical devices, and 40% of patient devices are remotely accessible.
“Connectivity has spurred big changes in hospital networks, creating dramatic improvements in patient care with doctors able to remotely diagnose, prescribe, and treat with a never-before-seen efficiency,” said Amir Preminger, vice president of research at Claroty.
“However, the increase in connectivity requires proper network architecture and an understanding of the exposure to attackers that it introduces.
“Healthcare organisations and their security partners must develop policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. This includes secure remote access, prioritising risk management, and implementing segmentation.”
Infrastructure update
In Victoria:
- Northern Health will receive $2.6 million from the latest round of the Metropolitan Health Infrastructure Fund to deliver critical structure upgrades to Broadmeadows Hospital. Sections of the roof will be replaced and repair works to ceilings and walls completed. Flooring and carpets will also be replaced with lights and associated electrical systems upgraded.
- Northern Health will also receive $250,000 towards the future surgical theatre upgrades at the Northern Hospital in Epping – supporting design of improvements to reduce infection risk.
- Sunbury Cobaw Community Health Centre will get more than $150,000 from the MHIF to install solar panels and update important dental and kitchen equipment. Access to dental care will also be enhanced, with the money helping to upgrade and replace important dental equipment and facilities.
- Construction is now underway on a new Youth Prevention and Recovery Care centre in Traralgon which will deliver 24-hour care to those aged 16-25 experiencing mental health challenges or psychological distress, once it opens in 2025. Complete with 10 bedrooms with ensuite bathrooms, it will also include a communal kitchen, dining and living areas, and outdoor areas. The project is a partnership between the Victorian Health Building Authority, Latrobe Regional Health and builder McCorkell Constructions.
In NSW:
- Early site works for the new Shellharbour Hospital are nearing completion. The hospital will feature an expanded emergency department, increased surgical capacity, and services for rehabilitation, aged care, acute medical, mental health, drug and alcohol unit, renal dialysis, and outpatients care, alongside improved parking and public transport links. Funding for the project includes $570.6 million from the NSW government, with an additional $23.3 million for a new car park, and $128 million from the Australian Government.
- The project is part of the Shellharbour Hospital and Integrated Services project which includes recently completed refurbishments at Wollongong and Bulli Hospitals. Planning is underway for a new community health centre to be delivered in Warrawong, on a section of the old Port Kembla Hospital site.
In Queensland:
- The $710 million expansion project of the Ipswich Hospital has progressed to Stage 2, which will see the construction of a purpose-built, multi-story acute services building, including 200 new beds, a new and expanded ED, additional operating theatres, satellite medical imaging service, central sterilisation service, back-of-house services, and shell spaces for future development. Early works on Stage 2 will begin in April, and the project is slated for completing in late 2027.
- The $16.5 million expansion to Robina Hospital on the Gold Coast has been completed, adding 20 ED treatment spaces for a total of 66. Works also include additional staff workstations and a new location for the transfer unit. Recruitment of 126 full-time employees, including doctors, nurses, pharmacists and allied health professionals is underway.
Katherine Hospital welcomes new nurses and midwives
New graduates have started working at Katherine Hospital in the Northern Territory as part of the Big Rivers Region nursing and midwifery workforce.
The graduates have finished their orientation and commenced rotations at Katherine Hospital, adding five registered nurses, one registered midwife and one enrolled nurse to the workforce.
The registered nurses and midwife are some of the 82 graduates who commenced so far this year in hospitals across the NT.
From this year onwards the application portal for the NT Health Graduate Nursing and Midwifery Program will be accessible year-round to allow for ongoing recruitment and offer support to applicants studying within Australia who are visa-holders.
This change provides a pathway to employment for those already living and studying in Australia and will result in additional nursing and midwifery graduates employed across NT Health hospitals.
