Global Report: 73% of Healthcare Providers Use Medical Equipment With A Legacy OS

During the pandemic, the healthcare industry was forced to undergo urgent digital transformation such as the introduction of telehealth services to adapt to the changing market demands. However, just how well did they factor security considerations in their digital transformation?

A new Healthcare report by cybersecurity firm Kaspersky has established that a global average of 22% of healthcare organisations’ medical equipment run on up-to-date software.  This prognosis looks slightly better in Africa, as 60% of respondents from South Africa, and 50% from Nigeria, indicated that all medical equipment runs up to date software. Usage of legacy operating systems (OS) exposes healthcare organisations to additional vulnerabilities and cyber-risks.

The research found that organisations globally widely use medical equipment with a legacy OS, mainly because of high upgrade costs, compatibility issues, or a lack of internal knowledge on how to upgrade, among other reasons.

“The usage of outdated equipment may lead to cyber-incidents. When software developers stop supporting a system, they also halt the release of any updates, which among other improvements, often contain security patches for discovered vulnerabilities. If left unpatched, these can become an easy and accessible to penetrate the company’s infrastructure, even for unskilled attackers.

Healthcare organisations collect a wealth of sensitive and valuable data, making them one of the most lucrative targets, and unpatched devices can facilitate a successful attack for adversaries,” the report explains.

When it comes to cybersecurity readiness, only 30% of healthcare workers globally (South Africa: 50%; Nigeria: 38%) are very confident that their organisation can effectively stop all security attacks or breaches at the perimeter. While just 34% of global respondents (South Africa: 50%; Nigeria: 50%) expressed conviction that their organisation has up to date, adequate hardware and software IT security protection.

At the same time, half (50%) of global respondents (South Africa: 30%; Nigeria: 63%) agreed that their organisation had already experienced data leaks, DDoS or ransomware attacks.

“The healthcare sector is evolving to meet the demand for accessible help by actively adopting connected devices. But this also adds unique cybersecurity challenges typical to the embedded systems. Our report confirms that many organisations still use medical devices that run on old OS and face obstacles that hamper upgrades. While there is a need for developing a strategy of modernisation, there are also solutions and measures available which can help to minimise the risks in the meantime. Those combined with medical staff awareness can significantly raise the security level and pave the way for the future development of the healthcare industry,” comments Sergey Martsynkyan, VP, Corporate Product Marketing at Kaspersky.

To help the healthcare sector minimise the likelihood of cyber-incidents caused by obsolete and unpatched systems, Kaspersky recommends taking the following steps:

• Provide your staff with basic cybersecurity hygiene training, as many attacks start with phishing or other social engineering techniques.
• Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
• Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation, and timely remediation of incidents capabilities. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky’s Expert Security framework.
• Along with proper endpoint protection, dedicated services can help defend against high-profile attacks. Managed Detection and Response services can help identify and stop attacks in their early stages before the attackers achieve their goals.
• Harden embedded systems in medical devices that are rarely updated.