Medical Device Vulnerability

The Impact of Ransomware and the Vulnerability of Medical Devices

vulnerable devices

A recent survey of health delivery organizations conducted by the Ponemon Institute underscores the tangible clinical consequences associated with a ransomware attack. Overall, 43% of respondents said their organization has experienced a ransomware attack at some point, and 60% of those indicated that they paid the ransom. According to the authors, “respondents report that ransomware attacks had a significant impact on patient care, reporting longer length of stay (71% of respondents), delays in procedures and tests (70% of respondents), increase in patient transfers or facility diversions (65% of respondents) and an increase in complications from medical procedures (36%) and mortality rates (22%).”

Impact of ransomware Ponemon SEPT2021

Image source: “The Impact of Ransomware on Healthcare During COVID-19 and Beyond,” Ponemon Institute, September 2021


Although medical devices represent a significant area of vulnerability for hospitals and health systems (especially in the wake of the pandemic), a surprisingly limited number of respondents expressed high confidence that their organization is “effective” in knowing the location or age of all its medical devices.

Ponemon med devices 2 SEPT2021

Image source: Adapted from “The Impact of Ransomware on Healthcare During COVID-19 and Beyond,” Ponemon Institute, September 2021

[Note: callout box added by Impact Advisors for emphasis]


Why It Matters:

There is far more information in the survey than we can cover here in this space, so we highly recommend reading the full reportThe connection between a ransomware attack and adverse effects on patient care is obviously not surprising, but the scope of impact reported by hospitals and health systems speaks volumes. The fact that more than one in five respondents said they experienced an increase in mortality rate as a result of a ransomware attack should be a wake-up call for hospitals and health systems everywhere.

We think another alarming finding from the survey is the second chart above. A single hospital typically has thousands (in some cases even tens of thousands) of medical devices in their inventory, with potentially hundreds of different categories and subcategories of equipment – each with its own target refresh cycles, mix of vendors, and patient safety considerations.  Many of those devices – particularly older ones – may not have been originally designed with information security in mind. With the number of network-enabled medical devices rapidly increasing, concerns about the “nightmare scenario” of a cybercriminal hacking into a device directly connected to a patient are at an all-time high. Despite those well-founded fears, the second chart above underscores that there are still basic foundational issues that need to be resolved at many provider organizations. Put bluntly, there is only so much risk that can be mitigated from an information security perspective if a hospital or health system doesn’t know the location or age of all the medical devices it owns.

Effective management of medical devices – whether responding to FDA recalls, accurately forecasting budget needs, or protecting against rapidly evolving cyber threats – requires a comprehensive, real-time enterprise device inventory that can fuel proactive, analytics-driven processes and provide an accurate depiction of overall risk. 


Related Reading:

Why Supply Chain Security Matters
Ransomware Protection Best Practices


This article was originally published in Impact Advisors’ digital newsletter: The Impact Advisor 4Q2021.