It’s hard to overstate how serious cybersecurity has become for hospitals. Any gaps in a hospital’s data security risk causing them serious legal, reputational, and financial harm—especially in light of laws such as HIPAA. Cyberattacks on hospitals have even been linked to higher mortality rates. 

Ironically, one of the major cybersecurity dangers that hospitals face is that their physical security devices could be used as an attack vector to target them. Because it’s common for hospitals (like other types of organizations) to rely on these devices without comprehensive cyber-protection, they can have vulnerabilities that make hospitals susceptible to being targeted by hackers and cybercriminals. 

Adding to the danger, many hospitals lack real-time visibility into the operational status of their physical security devices. As a result, there is a real risk that any cyberattack that successfully compromises those devices could go on for long enough to cause serious damage before the hospital even discovers the problem. And if a hospital’s physical security devices are connected to their network in ways that risk compromising the cybersecurity of their other connected devices, that further increases the danger they could face.

Why do hackers pose a unique threat to the medical field? How serious are the cybersecurity risks facing hospitals? And how do unsecured physical security devices contribute to their danger? This blog post will explore all of these key questions, shedding light on the risk of a hospital’s physical security devices being compromised by bad actors.

Cyber criminals uniquely threaten the medical field

Hospitals are a prime target for cybercrime – especially ransomware attacks – mainly due to their valuable information and the perception that the importance of their medical services will make them more likely to pay ransoms. In fact, the medical field is targeted by ransomware attacks more than any other industry, and it has the most expensive cyberattacks by far. According to IBM’s Cost of a Data Breach Report 2024, healthcare has been the industry with the most expensive data breaches every year since 2011, with an average price tag of $9.77 million in 2024 – double the global average of $4.88 million.

All told ransomware attacks on the healthcare industry have cost an estimated $77.5 billion in downtime in the U.S. since 2016. Moreover, hospitals’ use of connected medical devices often creates a risk that a cyberattack could prevent those devices from functioning properly. 

And the developments we’ve seen this year (2024) are particularly alarming. Early in the year, Change Healthcare suffered from a ransomware cyberattack that was labeled “the most serious incident of its kind leveled against a U.S. health care organization” by Rick Pollack, President and CEO of the American Hospital Association (AHA). At the peak of the massive disruptions it caused throughout the U.S. healthcare industry, that attack was estimated to cost some healthcare providers more than $100 million daily. 

Providing a broader perspective on cybersecurity trends within the healthcare industry, Check Point Research (CPR) has found that between January and September of 2024, “the global weekly average number of attacks per organization within the healthcare industry was 2,018, representing a 32% increase, compared to the same period last year.”

Physical security devices can amplify this danger

Understanding the seriousness of the risks they face, hospitals tend to invest extensively in IT and cybersecurity tools to defend themselves from hackers. But often, their physical security devices represent a major gap in their cybersecurity—especially because typical IT and cybersecurity tools are not designed to address the demands of physical security devices.

This problem is far from unique to healthcare, affecting virtually all types of organizations – and it occurs through no fault of their hard-working physical security professionals. The major difference for hospitals is just how high the stakes can be – especially because of their legal obligations, the sensitivity of the information they deal with, the critical nature of the medical services they provide, and the impact their reputation can have on their future.

Adding to the danger of this situation, it’s very common for virtually all types of organizations to use physical security devices with serious cyber vulnerabilities. Specifically, they often have weak and generic passwords, outdated firmware versions (which may lack relevant security patches that would address firmware vulnerabilities), outdated or inadequate certificates, and configuration settings that increase their attack surface. In many cases, physical security devices continue to be used even after they’ve passed their end of service – making it especially easy for hackers to compromise these devices because they lack new security patches and firmware upgrades. 

Furthermore, because many hospitals (like other types of organizations) do not comprehensively monitor their physical security devices around the clock, they may miss indications of a likely cyberattack should one occur. This reality can make it difficult for any hospital targeted by hackers to detect the cyberattack promptly. As a result, any cyberattack that affects these hospitals can go undetected for a long time.

Considering how widespread, expensive, and dangerous the cybersecurity threats facing hospitals are, the stakes of using physical security devices that are not thoroughly cyber-protected are extremely high. Because hospitals often lack real-time visibility into the health and performance of their physical security devices, these devices present a major blind spot in their data security. As a result, hospitals face a very real risk that any cyberattack that takes advantage of vulnerabilities in their physical security devices could cause serious legal, reputational, and financial harm. Worst of all, this reality risks compromising both patients’ privacy and hospitals’ ability to ensure that they get the care they need.