Skip to content
Search
  • Login
© IHEEM 2025. All rights reserved.
  • About Us
    • History
    • Governance
    • Meet the Team
    • Committees
    • IHEEM Sustainability Policy
    • Knowledge Partners
    • Diversity and Inclusion
  • Branches
    • South West
    • Southern
    • London & South East
    • East Anglia
    • East Midlands
    • West Midlands
    • North-East
    • North West
    • Yorkshire
    • Northern Ireland
    • Republic of Ireland
    • Scotland
    • Wales
    • Hong Kong
  • Events
    • Upcoming Events
    • Past Events
  • News
  • Jobs
  • FAQs
  • Contact us
  • About Us
    • History
    • Governance
    • Meet the Team
    • Committees
    • IHEEM Sustainability Policy
    • Knowledge Partners
    • Diversity and Inclusion
  • Branches
    • South West
    • Southern
    • London & South East
    • East Anglia
    • East Midlands
    • West Midlands
    • North-East
    • North West
    • Yorkshire
    • Northern Ireland
    • Republic of Ireland
    • Scotland
    • Wales
    • Hong Kong
  • Events
    • Upcoming Events
    • Past Events
  • News
  • Jobs
  • FAQs
  • Contact us
  • Membership & Registration
    • Join IHEEM
      • Individual
      • Company
      • Authorising Engineers
      • Free
      • Member Get Member
    • Membership Information
    • Professional Registration
      • Engineering Technician
      • Incorporated Engineer
      • Chartered Engineer
  • Platforms
    • Technical Platforms
      • Decontamination
      • Fire Safety
      • Electrical
      • Mechanical
      • Medical Devices
      • Medical Gas Pipeline Systems
      • Ventilation
      • Water
    • Advisory Platforms
      • Environmental Advisory Platform
      • Health and Safety Advisory Platform
      • Strategic Estates Management Advisory Platform (SEMAP)
    • Ask an expert
  • Authorising Engineers
    • AE Directory
    • AE Applications
  • Affiliates
    • Company
    • NHS
    • University
  • Future Leaders
    • YOUNG ENGINEERS
      • MEET THE ENGINEERS
      • WORK EXPERIENCE
      • CAREER PATHS
      • Skills Hub
    • SCHOOLS AND FURTHER EDUCATION
      • Introduction to STEM
      • IHEEM STEM ACTIVITY
    • Upgrade my membership
  • Knowledge Hub
    • CPD
      • A guide to CPD
      • The MyIHEEM CPD platform
    • Training and Development
      • Courses
      • Health Estate Journal
    •  Knowledge Portal – IHEEM members only
    •  Access to Latest news in Full
  • Mentoring
  • Membership & Registration
    • Join IHEEM
      • Individual
      • Company
      • Authorising Engineers
      • Free
      • Member Get Member
    • Membership Information
    • Professional Registration
      • Engineering Technician
      • Incorporated Engineer
      • Chartered Engineer
  • Platforms
    • Technical Platforms
      • Decontamination
      • Fire Safety
      • Electrical
      • Mechanical
      • Medical Devices
      • Medical Gas Pipeline Systems
      • Ventilation
      • Water
    • Advisory Platforms
      • Environmental Advisory Platform
      • Health and Safety Advisory Platform
      • Strategic Estates Management Advisory Platform (SEMAP)
    • Ask an expert
  • Authorising Engineers
    • AE Directory
    • AE Applications
  • Affiliates
    • Company
    • NHS
    • University
  • Future Leaders
    • YOUNG ENGINEERS
      • MEET THE ENGINEERS
      • WORK EXPERIENCE
      • CAREER PATHS
      • Skills Hub
    • SCHOOLS AND FURTHER EDUCATION
      • Introduction to STEM
      • IHEEM STEM ACTIVITY
    • Upgrade my membership
  • Knowledge Hub
    • CPD
      • A guide to CPD
      • The MyIHEEM CPD platform
    • Training and Development
      • Courses
      • Health Estate Journal
    •  Knowledge Portal – IHEEM members only
    •  Access to Latest news in Full
  • Mentoring
  • Events
    • Upcoming Events
    • Past Events
  • Membership & Registration
    • Join IHEEM
      • Individual
      • Company
      • Authorising Engineers
      • Free
      • Member Get Member
    • Membership Information
    • Professional Registration
      • Engineering Technician
      • Incorporated Engineer
      • Chartered Engineer
  • Platforms
    • Technical Platforms
      • Decontamination
      • Fire Safety
      • Electrical
      • Mechanical
      • Medical Devices
      • Medical Gas Pipeline Systems
      • Ventilation
      • Water
    • Advisory Platforms
      • Environmental Advisory Platform
      • Strategic Estates Management Advisory Platform (SEMAP)
    • Ask an expert
  • Authorising Engineers
    • AE Directory
    • AE Applications
  • Affiliates
    • Company
    • NHS
    • University
  • Future Leaders
    • YOUNG ENGINEERS
      • MEET THE ENGINEERS
      • WORK EXPERIENCE
      • CAREER PATHS
      • Skills Hub
    • SCHOOLS AND FURTHER EDUCATION
      • Introduction to STEM
      • IHEEM STEM ACTIVITY
    • Upgrade my membership
  • Knowledge Hub
    • CPD
      • A guide to CPD
      • The MyIHEEM CPD platform
    • Training and Development
      • Courses
      • Health Estate Journal
    •  Knowledge Portal – IHEEM members only
    •  Access to Latest news in Full
  • Mentoring
  • About Us
    • History
    • Governance
    • Meet the Team
    • Committees
    • IHEEM Sustainability Policy
    • Knowledge Partners
    • Diversity & Inclusion
  • Branches
    • South West
    • Southern
    • London & South East
    • East Anglia
    • East Midlands
    • West Midlands
    • North-East
    • North West
    • Yorkshire
    • Northern Ireland
    • Republic of Ireland
    • Scotland
    • Wales
    • Hong Kong
  • News
  • Jobs
  • FAQs
  • Contact us
  • Events
    • Upcoming Events
    • Past Events
  • Membership & Registration
    • Join IHEEM
      • Individual
      • Company
      • Authorising Engineers
      • Free
      • Member Get Member
    • Membership Information
    • Professional Registration
      • Engineering Technician
      • Incorporated Engineer
      • Chartered Engineer
  • Platforms
    • Technical Platforms
      • Decontamination
      • Fire Safety
      • Electrical
      • Mechanical
      • Medical Devices
      • Medical Gas Pipeline Systems
      • Ventilation
      • Water
    • Advisory Platforms
      • Environmental Advisory Platform
      • Strategic Estates Management Advisory Platform (SEMAP)
    • Ask an expert
  • Authorising Engineers
    • AE Directory
    • AE Applications
  • Affiliates
    • Company
    • NHS
    • University
  • Future Leaders
    • YOUNG ENGINEERS
      • MEET THE ENGINEERS
      • WORK EXPERIENCE
      • CAREER PATHS
      • Skills Hub
    • SCHOOLS AND FURTHER EDUCATION
      • Introduction to STEM
      • IHEEM STEM ACTIVITY
    • Upgrade my membership
  • Knowledge Hub
    • CPD
      • A guide to CPD
      • The MyIHEEM CPD platform
    • Training and Development
      • Courses
      • Health Estate Journal
    •  Knowledge Portal – IHEEM members only
    •  Access to Latest news in Full
  • Mentoring
  • About Us
    • History
    • Governance
    • Meet the Team
    • Committees
    • IHEEM Sustainability Policy
    • Knowledge Partners
    • Diversity & Inclusion
  • Branches
    • South West
    • Southern
    • London & South East
    • East Anglia
    • East Midlands
    • West Midlands
    • North-East
    • North West
    • Yorkshire
    • Northern Ireland
    • Republic of Ireland
    • Scotland
    • Wales
    • Hong Kong
  • News
  • Jobs
  • FAQs
  • Contact us

Minimising the cyber risks unique to hospitals

Home » Feature Articles » Minimising the cyber risks unique to hospitals

Cyber risk in health continues to grow, with more and more attacks being reported. Attacks can cause disruption to mission critical services, loss of data, and breaches of privacy, but unique to hospitals are the risks to our patients and staff arising due to the co-existence of medical devices on modern unified and shared network infrastructure.

US-based not-for-profit, the ECRI Institute, listed cybersecurity attacks at the top of the list of hazards for 2022 due to the large volume of connected devices in hospitals, both medical and non-medical. Cyber vulnerabilities are published frequently by manufacturers and vendors of software, building control systems, and Internet of Things (IoT) and medical devices, that require corrective action ranging from software patching through to replacement or isolation.

Complications on undefined responsibility

Added complexity arises due to undefined responsibility for asset management, monitoring sources of vulnerability alerts, and remediation across all disciplines. Hospital IT Departments often purposely exclude active management of networked building control systems and medical devices on the assumption that these will be appropriately managed by others, often the vendor or service provider. The real risk is not knowing what you don’t know.

It is unrealistic to expect to maintain a level of detail in the asset database that accounts for every connected device’s relevant connectivity attributes which includes information such as location, operating system, version, vulnerabilities, IP address, and MAC address, without the use of an automated discovery tool.

Cabrini Health is a Catholic, not-for-profit private health service located in the south-east of Melbourne, Australia. Inspired by the mission and ethic of care of the Cabrini Sisters, it has provided care to its community for over 70 years. With hospitals in Malvern, Brighton, and Elsternwick, it offers a comprehensive range of acute, rehabilitation, palliative care, mental health, and homecare services.

At Cabrini Health there are 27,683 connected devices that have recently been seen across the corporate and guest networks, of which only 2,845 are medical (see Figure 1). Of these, 11,516 are identified as high-risk due to unmanaged vulnerabilities, while 275 devices are identified as operational technology (OT), which includes items such as building access controllers.

It is not until an inventory is built that the magnitude of the issue becomes apparent. Compared with many public hospitals, Cabrini is far more basic, as it does not have an electronic medical record that requires many devices to be networked, and some legacy connected equipment cannot be seen by discovery tools, because it is on physically segregated networks.

Prioritisation and location are key

Resources are always limited, so risk stratification is an important way to allow prioritisation of an ongoing programme of work. It is also worth noting that high-level controls — such as VLAN segregation and firewalls, can provide a safe zone for devices identified as high-risk, which cannot be hardened, or where they are no longer supported by the vendor, which is very common in building control systems and medical devices. Asset location visibility is not only useful for management personnel, but also for containing an attack; this, however, becomes difficult at scale, especially if departments and individuals add new IoT and IoMT devices to your network without your knowledge. This shadow IT challenge can turn ugly if any of these devices have default passwords or lax security. Without you knowing they have entered your environment, there is no way to secure them appropriately.

The location of fixed devices can be managed through a variety of different tools, but typically an asset management software tool can include location information and port numbers. In this way cross-referencing can be used to determine the location of the device if the switch port and patching information are available. Tracking down mobile equipment can be a challenging task, but standard network tools can be used to assist. The diagram in Figure 2 depicts wireless mobile devices found using a common wireless location device.

Hackers don’t need complicated methods for obtaining access to hospital systems. For example, remote access systems are used routinely in hospitals to give vendors access for technical support. This method of entry into a hospital system is seen as a common target because — by nature — this point of entry is publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data, or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes.

Attackers take advantage of unmaintained and vulnerable remote access systems to infiltrate an organisation’s network. Once they gain access — whether through medical or non-medical assets — attackers can move laterally to other connected devices or systems, installing ransomware or other malware, stealing data or rendering it unusable, or hijacking computing resources for other purposes, such as to generate cryptocurrency. Safeguarding assets requires identifying, protecting, and monitoring, all remote ingress points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access.

Published cyber vulnerabilities

Cyber vulnerabilities are published frequently by manufacturers and vendors of software, building control systems, and Internet of Things and medical devices that require corrective action — ranging from software patching through to replacement or hard firewalling. These vulnerabilities and their associated alerts and recalls do not always reach the hospital, and are not always communicated using the normal methods, meaning that they can slip past the usual risk management teams in the business. Having a clearly defined responsibility matrix is key to an effective and proactive preventative maintenance schedule for connected devices.

There are many connected hospital devices in plain sight that continue to operate on unsupported operating systems and remain unpatched, even as cyberattacks continue to grow in the highly targeted healthcare sector. Take the example of nurse call systems. International experts report that 48% of nurse call systems have unpatched Common Vulnerabilities and Exposures (CVEs). This level of vulnerability makes such systems some of the higher risk Internet of Medical Things (IoMT) devices. Infusion pumps, which are used to provide fluids mechanically or electrically to patients, are the second riskiest IoMT devices, with almost a third (30%) operating with unpatched CVEs. In addition, 27% of these devices carry unpatched critical severity CVEs.

When it comes to medication dispensing systems, 86% have unpatched CVEs. Just under a third (32%) of these devices operate on Microsoft Windows versions that are no longer supported. Over half (59%) of IP cameras in clinical environments have unpatched CVEs, of which 56% are critical severity. Protecting every type of connected device, medical, IoT, and even the building management system, with full visibility and continuous contextualised monitoring, is a key element to ensuring patient safety.

Even though your data may be hosted locally by a global cloud services provider, staff who reside in different jurisdictions can access your data and configuration details from overseas. In circumstances where your data is hosted locally in your own data centre, or global cloud service provider, staff in various jurisdictions abroad can access your data, network and storage configuration details, and will have hypervisor access. The main issue is that it is often impossible to know who is accessing what data, even if legitimately.

For example, at Cabrini we can see material amounts of data transfer across dozens of different countries. Figure 3 highlights the fact that there are over 2,000 devices communicating to China and Russia, some of which are medical.

Cabrini’s approach

Using one of the better known IoMT network monitoring tools, Cabrini Health has taken a proactive approach on a journey toward best practice. To date we have achieved:

Visibility of 24,716 networked devices of all types.
Accurate detection and association with specific asset.
Identification of 51 Risk Alerts and 13 Threat Alerts, and
Risk stratification, where 8,333 devices have a high-risk profile, of which 397 are medical in nature.

This information has been synthesised into a programme of work involving IT, Facilities Management, and Biomedical Engineering, which includes patching, firewalling, network segmentation, and equipment replacement. A further unexpected benefit has been the improved asset identification, which in turn has provided the ability to report and understand device utilisation and analytics. This provides better decision-making processes around device procurement, usage optimisation, maintenance, and service planning around networked hospital devices.

While not claiming to be an expert, the journey thus far spanning several years has been a steep learning curve. The following suggestions are made to assist those that may be less advanced in securing non-traditional IT networked devices. Making your healthcare organisation secure and protected against the risk IoT devices exposes you to requires a mix of fundamental cybersecurity practices and targeted efforts.

Ensure you have the appropriate asset visibility and inventory solutions

Make sure you have the tools and process to know exactly what is making up your environment and what is interacting with your network. This is crucial for ensuring that your additional safeguards and protective solutions are incorporating all of your devices.

Change all default passwords to pass-phrases

If you haven’t already, make sure that all connected devices in your network and environment have a secure password, not the default one the manufacturer put in place.

Ensure that generic passwords are not used for service access 

Where possible, issue time-limited temporary access. Service network passwords are used without the hospital knowledge, often shared, or written down.

Ensure that all switches do not use default port settings — e.g. all set to VLAN 1

VLAN 1 was never intended to be used as standard VLAN to carry network data. By default configuration, any Access Link on a Cisco switch is set to VLAN 1, causing a major security issue, as direct access to the network backbone is given. As a consequence, VLAN 1 can end up unwisely spanning the entire network if not appropriately pruned.

Maintain a regular patch management process

Just like with any tool or software, IoT device manufacturers often release security updates to nullify any discovered vulnerabilities or exploits. Failure to update these devices on the organisation’s side is an easy way to leave yourself vulnerable.

Leverage network segmentation tools and maintain logical grouping together with current documentation

To limit the potential of a malicious attacker using an IoT device as their way into your organisation’s network, you have to isolate IoT devices by placing them in their own network via network segmentation. This ensures that, even if a device is compromised, an attacker can’t reach your network, where more sensitive files or assets can be found.

 Use monitoring tools to detect unusual behaviour

Network, device, and traffic monitoring tools can detect whether a device has been accessed by an unknown or new user, if multiple attempts to access a device have been made, or whether a device is behaving erratically in case of a compromise. These tools will alert you to any issues, and give you more time to react appropriately.

Employ an endpoint detection and response (EDR) solution

An EDR tool, used for all endpoints, not just IoT devices, is a must for all organisations in today’s environment. If you don’t have one yet, make sure you do your due diligence to find an EDR solution that works with your particular industry and make-up or organisation, as well as your needs.

Do not document logon details on laminated sheets, or in readily accessed documentation

In hospitals there are many casual or temporary staff that need access to IT infrastructure. Elimination of shared passwords is basic hygiene.

Ensure vendor service and service contracts include management of software patches

Patching is best performed by the equipment vendor or specialist support company.

Conclusion

Healthcare IoT and IoMT cybersecurity is just part of modern security hygiene and preventative maintenance. The risk introduced by IoT, medical devices, and building control and management infrastructure, represents yet another aspect of healthcare cybersecurity that requires attention and resources. The healthcare sector is under attack in a major way, and it’s time that health Facilities managers see cybersecurity improvement as an absolute necessity, dedicating the budget and staff appropriately. While it’s still not always feasible for in-house solutions or teams to address all the risks and concerns these organisations are currently facing, hospital Facilities managers should consider partnering with cybersecurity solutions experts who offer a wide suite of cybersecurity services and tools dedicated to preventing compromises, while also providing important resources in case a company is breached or a hacker makes their way in. I will leave you with this final thought: ‘Imagine if the lift controller systems were shut down; patients could not be moved effectively to theatres and wards for urgent critical care.’

Acknowledgment

This article, titled ‘Attacking cyber risks that are unique to hospitals’ was first published in the July 2023 issue of Healthcare Facilities, the official journal of the Institute of Healthcare Engineering, Australia. HEJ wishes to thank the author, the IHEA, and the magazine’s publisher, Adbourne Publishing, for allowing its reproduction here in slightly edited form.

PrevPreviousSustainability in focus for IPS and cladding specialist
NextTransforming power supplyat Vancouver Island hospitalNext

You need to be a member and logged in to see this content.

IHEEM

Institute of Healthcare Engineering and Estate Management,
2 Abingdon House,
Cumberland Business Centre Northumberland Road,
Portsmouth Hants,
PO5 1DS

  • 02392 823 186
  • office@iheem.org.uk
  • Membership
  • Registration
  • Learning Hub
  • Events
  • Branches
  • IHEEM Experts
  • Company Affiliates
  • About us
  • News
  • FAQs
  • Contact us
  • My IHEEM
  • Terms & conditions
  • Privacy policy

Sign up to hear from us

This website and its contents is copyright of IHEEM - © IHEEM 2025. All rights reserved.

Facebook-f Linkedin Instagram Twitter Youtube Vimeo
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT