What’s the distinction between an endoscopy device and a hacked ATM? To a hacker, not much.
Endoscopic technology has evolved over the past decade, adding artificial intelligence to its diagnostic function and increasingly advanced tools to expand its treatment value. But as with any networked medical device, endoscopes expose hospitals and medical facilities to cyberattacks.
In 2023 alone, healthcare paid an average of $10.93 million per breach—almost double the cost to the second-place runner-up, the finance industry. It has been so severe that the U.S. Department of Health and Human Services (HHS) has come up with a plan to protect against cyberattacks and ransomware, with the threat of legislation and higher regulations on the horizon.
Although the problem is not straightforward, hospitals and medical facilities can do fairly straightforward things to protect their information. In fact, the secret to security health is not significantly different from the recommendations physicians make regarding physical health: Get frequent checkups, stay current with antivirus programs and receive treatment from experienced professionals.
Stay Off the Internet
Medical equipment must not be connected to the internet. Anything that is connected to the internet is an easy target for hacking. According to a survey conducted in 2019, 80% of hospitals have been affected by a cyberattack targeting Internet of Things (IoT) devices.
These vulnerabilities were highlighted by the FBI as particular security threats. And in the majority of these instances, such threats are superfluous: Medical devices depending on AI and machine learning are not necessarily required to be hooked to the internet to take advantage of the humongous warehouses of data driving AI capabilities.
Air Gap
Besides being unsafe, the use of medical devices on the internet is superfluous. A network that is not linked to any external network—like the internet—is referred to as an “air-gapped” network. A scope and a hospital’s EMR can communicate by means of secured, air-gapped networks. Bridging such networks can be done with the help of dual-homed machines that have the ability to link to both the air-gapped and internet-linked networks. Installing these relationships requires finesse and technical knowledge: an initial investment that, in the event of a potential $11 million breach, hospitals might deem well worth the expenditure (stay tuned for that explanation).
Update Older Operating Systems
Legacy operating systems such as Windows 95 and Windows 7, 8, 10 (secutiry updates have a cut-off after October 14, 2025) which are or will no longer be supported might not have the security patches required to keep them safe from attack. If the legacy system is not supported, and a hospital’s equipment is not on an air-gapped network, then they could be susceptible to attack.
During a 2022 declaration, the FBI cautioned of unpatched and old medical device and legacy systems’ cybersecurity vulnerabilities, describing the fact that “40% of medical devices reaching the end-of-life point provide little or no security upgrades or patches that are able to repel attack.”.
Protect Against Viruses
Antivirus software frequently is not installed on medical equipment because it conflicts with medical software or vendor policies. In some instances, the machines themselves are underpowered, having insufficient memory or CPU power to execute antivirus software and the clinical application. In other instances, hospitals are reluctant to install antivirus software for fear device manufacturers will no longer support equipment. The end result is an unguarded device that can be easily penetrated.
Similar to physical viruses, computer viruses have caused actual deaths: An Alabama hospital paid a settlement in 2021 on a lawsuit over the death of a newborn who experienced birth complications during a ransomware attack at the hospital that kept doctors from getting timely access to the baby’s fetal monitoring results.
Check Credentials
Hospitals often give full administrative rights to devices without understanding the implications. Once a hacker gets into an endoscope’s software, he or she has the same level of trust that the device has. So in an endoscope that had admin access given, that hacker would be able to use the device to achieve full access to a hospital’s medical records. It places patients—and the hospital—in great jeopardy.
To minimize the damage in case of a security breach, low-power accounts must be employed on all devices. Regular network scans must also be performed to detect unauthorized devices, administrative access and suspicious software installations.
Break It Up
Micro-segmentation—a network security technique that breaks a network down into extremely small, isolated segments—can also safeguard against a malicious actor taking complete control of a hospital’s network via a breach in one device. Similar to air-gapped networks, this requires expertise and effort to establish and maintain but can be well worth the cost.
Also known as a “black box” solution, micro-segmentation involves the mapping of data and workflows and introduces friction into the daily operation of a hospital or medical center. But the payoff is in severely curtailing any breach.
Keep IT Local
Offshoring IT support may save cost, but it can significantly diminish security. Without a professional staff to monitor your network and devices, scan for problems and defend security, hospitals and medical facilities open themselves up to invasion.
At least 29% of data breaches are caused by third parties—with three-quarters of those caused by vendors who offer technical services like software, IT products and related services. Having your IT staff local—or better yet, in-house—allows you to maintain control of visibility, simplify communication and ensure that the entire team you employ is operating under the same regulatory environment.
Don’t Rely on Insurance
As a stopgap measure to funding costly IT departments, some hospitals buy cyber insurance. This can be short-sighted at best and useless at worst. Insurance firms only pay out if a company uses normal and sufficient care to protect against threat. By abandoning—or outsourcing—their IT departments and wishing for the best, hospitals show the very opposite: They haven’t exercised sufficient care to protect against a cyberattack. Consequently, the hospitals are left with an expensive lapse that will not be paid for by their insurance providers. Don’t Skip the Small Stuff
Password-protect your devices. Include firewalls, patch management and access controls for all networked devices. Yes,these actions introduce a level of friction into a process, but the slight inconvenience is more than worth it. Passwords are one of the most effective means of controlling data flows and keeping sensitive information from unauthorized access.
That being said, don’t forget to replace default passwords that can be included with your device: In February 2023, a maker of infusion pumps issued an alert that one of their products had a password flaw that could potentially open up access to personal data.
Do a Sweep
When a person departs your organization, ensure they have no access to your network anymore.
Checking login credentials and access controls for endoscopy machines—and all machines—will ensure they are securely locked down. This will prevent unauthorized use and ensure confidentiality and integrity of your data. We refer to credentials for individuals no longer with the organization as “zombie accounts,” and like zombies from horror movies, they leave hospitals open to attack. In other instances, the “zombies” are actively working against the law. In others, they may be unaware that they still have access to their former accounts. So, if their personal accounts have been compromised, they will not realize they should inform their old employers of the potential for a cyberattack. Key Takeaways
In 2017, Mexican criminals notoriously used endoscopes by way of the cash exit slots in ATMs to control sensors in the dispenser and replicate physical verification that prompted the ATM to spew forth cash like a slot machine in Vegas that just hit the jackpot.
But the bad actors do not need to hold actual endoscopes in their hands to employ these and other medical devices to gain access to lucrative personal data or hold hospitals hostage. To secure healthcare data, hospitals and medical facilities must look at safety breaches when they buy or upgrade new equipment and take some serious steps to ensure their cybersecurity.
- Keep medical devices offline.
- Use air-gapped networks for medical devices.
- Update older operating systems and use patches for older devices.
- Protect against viruses.
- Prevent granting administrative rights to devices.
- Use micro-segmentation to manage network traffic granularly.
- Have a dedicated IT security department and networking team with the required skills to configure and secure networks appropriately.
- Password-protect all medical devices.
- Sweep regularly for unauthorized access.
Similarly, as physicians instruct patients to keep their body health in check, the healthcare sector needs to undergo periodic checkups, keep abreast of antivirus practices and take advice from cybersecurity professionals to ensure their cybersecurity health is in top condition.
