Connected devices, shared risks: healthcare at a crossroads between opportunity and cyber threat
In the wake of the COVID-19 pandemic and amid a globally ageing population, healthcare systems are increasingly shifting toward remote care. The potential benefits are enormous, but so are the risks, as the "surface for cyberattacks" expands. "Building secure devices and leaving them alone is outdated," warn experts behind a new, integrated cybersecurity approach. "We need real-time oversight and continuous interaction across systems to monitor and manage threats"
On the night of 9 and 10 September 2020, a critically ill patient was rushed to the emergency department of Düsseldorf University Hospital. But the facility could not receive her: emails and operational systems were down, patient information was inaccessible, and emergency admissions were suspended. The 78-year-old woman was redirected to a hospital in Wuppertal: only an hour's detour, but which proved fatal. The cause was a ransomware attack, a type of cyberattack "where threat actors take control of a target's assets and demand a ransom in exchange for the return of the assets' availability and confidentiality." The definition comes from ENISA, the European Union Agency for Cybersecurity. "There are multiple risks," confirms Maria Papaphilippou, a cybersecurity officer at their Resilience of Critical Sectors Unit. "Hospitals can no longer access digital records, appointments may be postponed, surgeries cancelled. And at the individual level, patients may lose access to their medical data, be unable to receive the care they need, or they may be sent to other hospitals."
The Düsseldorf case is far from isolated. Out of 215 publicly reported cyber incidents targeting the health sector between January 2021 and March 2023, ENISA recorded 53% against healthcare providers and 42% specifically against hospitals. Between 2023 and 2024, over one in five ransomware attacks targeted healthcare organisations, an 18% increase from the previous year, with the median cost of a major incident estimated €300,000. Stephen Gilbert, Professor of medical device regulatory science at the Dresden University of Technology (DUT), researches how to develop and effectively implement safe AI-based medical devices within health systems. "The biggest challenge is the current siloed approach to cybersecurity, where responsibility is placed on individual device manufacturers, with little systemic coordination," he says. "When a cyber incident occurs, the standard response is often to disconnect the device or shut down the network, which is not viable for modern healthcare models, especially remote care."
That's why the European project CYMEDSEC, which Gilbert coordinates, is working to go beyond the current cybersecurity approach in medical devices and digital health systems by adopting a more holistic view. "A key focus is on moving beyond fragmented, device-by-device risk assessments toward a system-wide understanding of vulnerabilities, including how devices interact in practice. The strategy involves building monitoring tools, creating safer-by-design technologies, and ensuring that cybersecurity is not just a regulatory hurdle but an embedded and ongoing responsibility shared by manufacturers, hospitals, and care providers," explains Gilbert. His project's focus reflects the evolution health systems have undergone since the COVID-19 pandemic, and which is being further accelerated by demographic trends. "According to Eurostat, in the next 75–80 years we can expect a demographic decline, which will result not only in fewer healthcare workers in absolute terms, but also in a 20–30% increase in the population over 65, unfortunately the age group that places the greatest demand on healthcare services," says Francesco Ricciardi, an executive engineer at the Casa Sollievo della Sofferenza Foundation in the southern Italian town of San Giovanni Rotondo.
Besides enabling more personalised and at-home care, that's where telemonitoring and telemedicine can help increase efficiency and at least partially compensate for the shortage of human resources. But as healthcare becomes more digital, it also expands the so-called "attack surface", the number of entry points hackers can exploit. "Data breaches and leaks are among the top risks in remote care, which relies on continuous connectivity between patients and providers. Sensitive medical information is exchanged, and if even one party isn't in a secure environment, it puts both sides—and the data—at risk," explains Papaphilippou. "Yet, one of the biggest issues is that patients and healthcare workers may not be fully aware of these risks or have the resources to address them." The "hospital at home" model introduces a new set of cybersecurity challenges, stresses Gilbert, because it moves clinical care beyond the hospital's controlled environment. "Patients are monitored and treated via connected devices, often using home Wi-Fi or personal mobile phones as communication hubs. This creates vulnerabilities due to weaker network security, inconsistent device management, and shared usage of consumer devices for non-medical purposes."
Hospitals should be viewed as interconnected ecosystems where cybersecurity must be addressed across infrastructure, software, systems, and devices, ENISA warned in its 2020 report "Procurement Guidelines for Cybersecurity in Hospitals". Yet, they pointed out that some of the most critical threats often come from procurement where the IT department isn't typically involved. To tackle these challenges, CYMEDSEC is testing its approach at two pilot hospitals coordinated by Ricciardi: the Hospital do Espírito Santo in Évora, Portugal, and the Casa Sollievo della Sofferenza, where he works. "Here in Italy, we will be mainly testing devices for the telemonitoring of patients with diabetes, such as glucometers and blood pressure monitors. From a cybersecurity perspective, we will examine their entire lifecycle from the procurement phase, including the definition of security requirements, through to their integration with existing systems, use in clinical practice, and eventual decommissioning," he explains.
Highlighting the need to move past a siloed approach is also the fact that clinical information systems are usually made up of components from different suppliers. These interact and share data, meaning that the vulnerability of one piece can compromise the whole system. "A particularly important area is supply chain cybersecurity," points out Gilbert. "People often assume that the hardware components such as chips and sensors are inherently safe. But that's a dangerous assumption. If we don't know exactly what's in our hardware, it becomes nearly impossible to guarantee system security. This is why we're also exploring eSIM-like approaches embedded directly in hardware, offering a new layer of traceability and protection. These kinds of innovations are becoming increasingly critical." One of the key recommendations of the "European action plan for cybersecurity in hospitals and healthcare providers", released in January, is to conduct risk assessments on medical devices. "It's a critical area that remains largely uncharted," admits Papaphilippou. "There is a wide variety of devices, each with its own vulnerabilities and suppliers, making this a complex but necessary task."
A lack of awareness is a vulnerability in itself, she stresses, because "if we're not conscious of the threats, we won't invest in reducing the risks." Along with the urgent need for investment, another major challenge at present is to inform patients, healthcare professionals, and all users of telemedicine apps and devices, confirms Ricciardi. "Many people may feel that it doesn't concern them, but cybersecurity is just as essential as road or workplace safety. It is everyone's responsibility, and we could all play our share simply by not choosing weak passwords or skipping two-factor authentications," he warns. Crucial in supporting awareness and building a coordinated response arsenal is regulation, adds Gilbert. "Regulation plays a central role, but we need to fundamentally rethink how it works in the context of modern, connected healthcare delivery," he exhorts. "The traditional 'fire-and-forget' model of building secure devices and leaving them alone is outdated. Instead, we need real-time oversight and continuous interaction across systems to monitor and manage risks. This shift demands a strategic commitment to building integrated partnerships and enabling systemic, real-time coordination," concludes Gilbert.
Provided by iCube Programme
