What’s the difference between an endoscopy device and a compromised ATM? To a hacker, very little.
Endoscopic technology has advanced over the last decade, incorporating artificial intelligence into its diagnostic capabilities and ever more sophisticated tools to enhance its treatment utility. But like any networked medical device, endoscopes leave hospitals and medical facilities vulnerable to cyberattacks.
In 2023 alone, cybersecurity breaches cost the healthcare industry an average of $10.93 million per breach—nearly twice the price tag faced by the second runner-up, the financial industry. The issue has prompted the U.S. Department of Health and Human Services (HHS) to devise a strategy for safeguarding against cyberattacks and ransomware, with the promise of legislation and increased regulations on the horizon.
While the challenge is not simple, hospitals and medical centers can take relatively easy steps to safeguard their data. In fact, the key to protecting security health is not appreciably different from the advice doctors give about maintaining physical health: Undergo regular checkups, keep up to date with antivirus measures and seek care from knowledgeable experts.
Stay Off the Internet
Medical devices should not have internet access. Anything connected to the internet is an easy target for hacking. A 2019 survey found that 80% of hospitals experienced a cyberattack focused on Internet of Things (IoT) devices.
These vulnerabilities have been identified by the FBI as significant security risks. And in many cases, these risks are unnecessary: Medical devices that rely on AI and machine learning do not necessarily need to be connected to the internet to make use of the vast stores of data that feed AI capabilities.
Air Gap
In addition to being unsafe, internet access for medical devices is unnecessary. A network that is not connected to any external network—such as the internet—is known as an “air-gapped” network. Communication between a scope and a hospital’s EMR, for instance, can be achieved through secured, air-gapped networks. These can be bridged using dual-homed machines that can connect to both the air-gapped and internet-connected networks. Setting up these connections takes skill and expertise: upfront costs that, when facing a potential $11 million breach, hospitals may decide is well worth the investment (more on that later).
Update Older Operating Systems
Older operating systems like Windows 95 and Windows 7, 8, 10 (security updates end after October 14, 2025) that are or will no longer be supported may lack the necessary security patches to protect against attacks. If a legacy system is not being supported, and a hospital’s devices are not on an air-gapped network, they may be vulnerable to attack.
In a 2022 statement, the FBI warned about the cybersecurity vulnerability of unpatched and outdated medical devices and legacy systems, noting that “40% of medical devices at the end-of-life stage offer little to no security patches or upgrades” that could protect against attacks.
Protect Against Viruses
Antivirus software is often not installed on medical devices due to conflicts with medical software or vendor policies. In some cases, the machines themselves may be underpowered, lacking the memory or CPU capacity to run antivirus software and the clinical application. In other cases, hospitals are loath to install antivirus software for fear device manufacturers will no longer service equipment. The result is an unprotected device that can easily be compromised.
Like physical viruses, computer viruses have led to real-world deaths: An Alabama hospital settled a lawsuit in 2021 involving the death of a newborn who suffered birth complications during a ransomware attack at the hospital that prevented doctors from receiving timely access to the baby’s fetal monitoring results.
Check Credentials
Hospitals often give full administrative rights to devices without understanding the implications. A hacker who accesses an endoscope’s software gains the same level of trust the device enjoys. So, in the case of an endoscope that has been given admin access, that hacker would be able to use the device to gain full access to a hospital’s medical records. This puts patients—and the hospital—at significant risk.
To limit the damage in the event of a security compromise, low-power accounts should be used on all devices. It is also important to conduct regular network scans to identify unauthorized devices, administrative access and suspicious software installations.
Break It Up
Micro-segmentation—a network security strategy that divides a network into very small, isolated segments—can also protect against a bad actor gaining full control of a hospital’s network through a breach in a single device. Like air-gapped networks, this takes skill and expertise to create and maintain but can be well worth the investment.
Also known as a “black box” solution, micro-segmentation requires the mapping of data and workflows and can introduce friction into the day-to-day operation of a hospital or medical center. But the benefit lies in greatly limiting any breach.
Keep IT Local
Offshoring IT support can reduce cost, but it can also greatly reduce security. Without a skilled team to maintain your network and devices, scan for issues and protect security, hospitals and medical facilities leave themselves open for attack.
At least 29% of data breaches occur through third parties—with three-quarters of those occurring through vendors that provide technical services such as software, IT products and related services. Keeping your IT team local—or even better, in-house—helps you control visibility, streamline communication and ensure that everyone on your team is working within the same regulatory framework.
Don’t Rely on Insurance
As a work-around to supporting expensive IT departments, some medical facilities purchase cyber insurance. This may be shortsighted at best and ineffective at worst. Insurance companies will only pay out if a business takes normal and adequate care to secure against threat. By letting go of—or offshoring—their IT departments and hoping for the best, hospitals demonstrate the exact opposite: They haven’t taken adequate care to secure against a cyberattack. As a result, hospitals are left with a costly breach that their insurance companies will not cover.
Don’t Skip the Small Stuff
Password-protect your devices. Add firewalls, patch management and access controls for all networked devices. Yes,these measures add a layer of friction to a procedure, but the small inconvenience is well worth it. Passwords are among the most reliable ways to control data flows and prevent unauthorized access to sensitive information.
That said, remember to change the default passwords that may come with your device: In February 2023, an infusion pump manufacturer issued a warning that one of its devices had a password vulnerability that might allow access to personal information.
Do a Sweep
When someone leaves your organization, make sure they no longer have access to your network. Reviewing login credentials and access controls for endoscopy equipment—and all equipment—will help ensure they are properly secured. This will help prevent unauthorized access and maintain the confidentiality and integrity of your data. We call credentials for people who are no longer with the organization “zombie accounts,” and like horror movie zombies, they leave hospitals vulnerable to attack. In some cases, the “zombies” are knowingly acting against the law. In others, however, they might not know they still retain access to their old accounts. So, if their personal accounts are compromised, they won’t know to alert their former employers to the risk of a cyberattack.
Key Takeaways
In 2017, criminals in Mexico famously inserted endoscopes through the cash exit openings in ATMs to manipulate sensors in the dispenser and simulate physical authentication that caused the ATM to spit out cash like a Vegas slot machine hitting the jackpot.
But bad actors don’t need actual endoscopes in their hands to use these and other medical devices to access valuable personal information or hold hospitals ransom. To protect healthcare data, hospitals and medical centers need to consider safety breaches when purchasing or updating new tools and take significant steps to enhance their cybersecurity.
- Keep medical devices off the internet.
- Implement air-gapped networks for medical devices.
- Update older operating systems and employ patches for older devices.
- Protect against viruses.
- Avoid giving administrative rights to devices.
- Implement micro-segmentation to control network traffic granularly.
- Maintain a dedicated IT security department and networking team with the necessary skills to configure and secure networks properly.
- Password-protect all medical devices.
- Regularly sweep for unauthorized access.
Just as doctors advise patients to maintain their physical health, the healthcare industry must perform regular checkups, stay updated with antivirus measures and consult with cybersecurity experts to keep their cybersecurity health in excellent shape.
