The shift to at-home care during the pandemic and aging medical devices are putting healthcare systems and patients at greater risk of cybersecurity hacks.

From pacemakers to insulin pumps, the global connected medical devices market was valued at $28.24 billion in 2020 and is likely to exceed $94 billion by 2026, according to market research firm Mordor Intelligence.

Each additional connected medical or internet of things device creates a larger target for cyberattacks, said Amy Chang, head of risk and response at Resilience Insurance, a cyber insurance policy provider that also offers cybersecurity consultation services. While there are no reported cases of medical devices being hacked, attacks on healthcare organizations in general are on the rise, with data breaches in the U.S. jumping to 758 in 2020 — of which 62% involved hacking — from 572 a year earlier, according to healthcare compliance analytics platform Protenus Inc.

"It's Pandora's box," said Jithesh Veetil, program director for data science and technology at public-private partnership Medical Device Innovation Consortium, which includes government bodies like the U.S. Food and Drug Administration as well as companies such as Abbott Laboratories and Johnson & Johnson. "Now we are adding elements of how a patient uses [these devices] and who has access to these devices when compared to a more controlled setting."

Healthcare data breaches are especially costly. The average cost of a single data breach within the healthcare industry rose 29.5% year over year to $9.23 million in 2021, giving it the highest average cost per incident for any sector, according to a July report from International Business Machines Corp. and the Ponemon Institute.

Healthcare IT decision-makers are more concerned about certain cybersecurity risks such as phishing and data privacy than their counterparts in finance and retail, according to a survey published in October by 451 Research. A lack of budget to beef up IT system defenses was also a concern for these healthcare respondents, who are charged with protecting personal health information under U.S. law.

"All industries have concerns about data breaches, but healthcare in particular has a regulated data problem around protected health information, or patient data," 451 principal research analyst Daniel Kennedy said. "Like financial services, the healthcare industry has been long regulated when it comes to information security concerns."

READ MORE: Stay informed on how technology is reshaping the future of your sector. Get the Next newsletter delivered to your inbox every Tuesday. Sign up here.

Hacking wheelchairs?

Defending healthcare data from these incursions depends on organizations' ability to assess their complex IT networks, including building barriers and regularly updating the software on devices used by patients or doctors. But these defenses come at a cost, with the healthcare and public health industry predicted to spend $18 billion on cybersecurity in 2021, the Health Sector Cybersecurity Coordination Center, a division of the U.S. Department of Health and Human Services, said in a March report.

With increased coverage and support from the federal government and health insurance companies like UnitedHealth Group Inc. and Aetna Inc., the COVID-19 pandemic pushed many medical care providers to embrace the potential of telehealth and remote patient monitoring devices to support patients from a distance. A 451 Research survey published in November showed that 82.3% of healthcare operational technology professionals had seen their organizations support remote monitoring deployments such as telehealth.

Researchers have proven that some connected medical devices can be manipulated by bad actors, which could prove fatal to a patient, MDIC's Veetil said. It is not only sophisticated medical devices connected to the internet, like connected blood pressure cuffs or CPAP machines for sleep apnea, that might pose a risk. Electronic devices that have a USB or service port — even if they are not on hospital networks — can be in danger from hackers.

"It can be as simple as a wheelchair which has got some kind of speed or electronic control," Veetil said. "What if somebody hacks and increases the acceleration uncontrollably?"

Medical device company Medtronic PLC, for example, recalled the remote controller for a range of its MiniMed insulin pumps in 2018 after realizing they were vulnerable to hackers who could, in theory, trigger an additional insulin dose, prompting the FDA to issue an alert. While Medtronic updated its recall in October 2021, a spokesperson for the company told Market Intelligence that it had received "no confirmed reports of a remote controller being manipulated in this manner."

'Nobody gets hurt'

It is unlikely a cyber adversary will hack a device in order to intentionally interfere with a patient's insulin dose or pacemaker, said Mac McMillan, CEO and co-founder of cybersecurity consulting firm CynergisTek Inc. Injuring or killing somebody by hacking their medical device will attract far more attention from law enforcement, for minimal gain.

Hackers are more likely to see greater benefit in disruptive attacks such as using a medical device as a jumping-off point to breach the company's network, McMillan said. Through this method of attack, criminals are able to extort more money from a health system by holding onto patient data or disrupting internet systems than they would by intentionally hurting people.

"It's one thing to hack into organizations and steal their data," McMillan said. "Nobody likes it, but nobody gets hurt."

Several high-profile cyberattacks have occurred since the pandemic began including a ransomware attack on the Irish health system in May.

Aging devices

Age can be a major vulnerability of medical devices. Some can have a lifespan of well over a decade, during which time software can go out of date and the companies may stop releasing patches to strengthen their security.

"If Microsoft has terminated patches and updates for Windows after 10 years in existence, who is going to patch or how are we going to manage that device, which has got another 10 to 15 years of life?" Veetil said. "The hospitals find it unjustifiable to change the device — it is a major capital investment."

Microsoft Corp. is aware of this issue for healthcare. Using its vast network of threat intelligence sources, the technology giant identified several dozen hospitals with vulnerable gateway and VPN appliances in their infrastructure. The company then sent out a targeted notification in early 2020 with important information about the vulnerabilities, along with a strong recommendation for security updates.

"Attackers often look to old security vulnerabilities they can abuse, so running the latest software helps users shore up those vulnerabilities and defend against the latest attack methods," a Microsoft spokesperson told Market Intelligence. "This is especially important for hospitals, where attacks can jeopardize crucial medical care."

Who is responsible?

The ultimate responsibility when a network is hacked via a medical device or some other means is situationally dependent, Resilience's Chang said. The fault could lie with hospitals that did not have proper safeguards in place or with a software developer that did not ensure adequate protection.

One of the most effective weapons in a healthcare system's cyber defense strategy is asset management — the process of keeping track of every IT-related device across an organization and assessing potential gaps in security such as outdated software.

Different pieces of a healthcare organization's IT landscape may have been added or removed over decades, meaning it can be difficult for a new IT manager to get to grips with the vast system.

"One of the first things that organizations fail to wrap their head around is having an understanding of what kind of tech ecosystem they're operating in," Chang said.

Divide to defend

As well as mitigation practices to prevent cyberattacks from occurring, healthcare providers also need to establish barriers to prevent hackers from reaching important data if they do get into the system, McMillan said.

Dividing the network into different parts — a process known as segmentation — is one way to do this. This method can be also deployed to reduce the risks from older medical devices being hacked, McMillan said.

Even segmenting outdated medical devices is an imperfect solution, 451's Kennedy said. Regardless of where these devices are in the network, they are still collecting sensitive patient information that may be vulnerable to hackers.

That means healthcare organizations need to prepare for the day when their system is compromised, McMillan said.

"With all these moving parts and all these connections and all of these things that you have to manage, you have to basically find all of the holes and plug them before the bad guys find just one," McMillan added. "If you stick around long enough and you're doing business, eventually something's going to make its way in."

451 Research is part of S&P Global Market Intelligence.