Medical device cybersecurity is lousy \u2014 beyond lousy.Indeed, the word from security experts for most of the past decade (and certainly since those devices increasingly have become connected to the internet) has been that while the physical security of most is superb and the devices function flawlessly, possibly for years at a time, when it comes to security from malicious online attacks, these devices are frighteningly insecure.The web is practically littered with recent reports confirming this:A study by WhiteScope IO released in May reported more than 8,000 vulnerabilities in the code that runs in seven\u00a0pacemakers\u00a0from four manufacturers.A report released in December 2016 on an investigation into new implantable cardiac defibrillators (ICD) found security flaws in the proprietary communication protocols of 10 of them.Trend Micro reported in May that more than 36,000 healthcare-related devices in the U.S. alone are discoverable on Shodan, the search engine for connected devices.Ponemon, in a survey sponsored by Synopsys, reported in May that, \u201croughly\u00a0one third\u00a0of device makers and HDOs (health delivery organizations) are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only\u00a017 percent\u00a0of device makers and\u00a015 percent\u00a0of HDOs are taking significant steps to prevent such attacks.\u201dThe problem, which has existed since HDOs began connecting these devices to the internet, is that the majority are being trusted to do what they weren\u2019t designed to do \u2014 protect patient information and the patients themselves \u2014 from cyber attacks.[ Related:\u00a0How to securely deploy medical devices ]Chris Camejo, director of product management, threat intelligence at NTT Security, noted that most medical devices in use today would be secure, \u201conly in a closed, trusted environment without any potentially malicious activity."\u201cUnfortunately a hospital network can't be considered trusted, as it is connected to the internet and contains thousands of internal users, any one of whom could click on the wrong link or download the wrong attachment,\u201d he said.Still, debate continues about how imminent is the risk of physical harm. Jay Radcliffe, a medical device security expert and Type-One diabetic, famously said at the 2014 Black Hat conference that it would be far more likely for, \u201can attacker to sneak up behind me and deliver a fatal blow to my head with a baseball bat,\u201d than to be harmed by a cyber attack.And the experts I spoke with say they are unaware of a documented, targeted attack on a device that caused physical harm to a patient.But Stephanie Domas, lead medical security engineer at Battelle DeviceSecure Services, said a lot remains unknown about whether malfunctions of devices are caused by malicious cyber incidents. \u201cI don\u2019t know of a manufacturer that does root-cause forensics when a medical device misbehaves,\u201d she said. \u201cNobody is looking to see how it happened.\u201dCamejo said regardless of the class of device, or whether it is located inside or outside of the hospital environment, \u201cthe risks are essentially the same: Patients\u2019 lives often depend on these devices performing their functions accurately, and an attacker who can control one of these devices can alter those functions to the potential detriment of the patient, up to and including death.\u201dSo should certain devices be banned? Domas and other experts say no \u2013 that it is difficult to say that one device, or even class of devices, is more vulnerable than others. They say the problem lies more in specific capabilities or features that can make them much more attractive targets and\/or their users more vulnerable to harm.These are the 5 features that the experts I spoke with say cause the greatest risk:1. Cloud dependentOnly about 10 percent of medical devices fall into what the Food and Drug Administration (FDA) calls Class III, which means they are designed to sustain or support life (e.g., pacemakers and glucose meters). If these devices were hacked, an attacker could put patients\u2019 lives or health in jeopardy.Sonali P. Gunawardhana, of counsel with Wiley Rein and a former FDA attorney, pointed to glucose meters that are smartphone connected, which help patients monitor their sugar levels. If the app on the phone is hacked and a patient receives incorrect data, leading to incorrect decisions on managing sugar levels, \u201cthat can cause irreparable harm,\u201d she said.Chris Clark, principal security engineer at Synopsys, said devices that depend on the cloud for performance are \u201csimilar to telemedicine,\u201d and can include devices like infusion pumps and patient monitors that use the cloud to perform their services.\u201cThey have to go out to the internet,\u201d he said, \u201cwhich means there is a high potential for disruption or denial.\u201d2. RF connectivityClark said anything that is RF (radio frequency) based is at higher risk.\u201cFitbit talks Bluetooth to our smartphones,\u201d he said, \u201cwhich is mostly OK, since it doesn\u2019t talk to other devices.\u201cBut the phone is an aggregation point for all types of technology, not just healthcare,\u201d he said. \u201cMost people don\u2019t even know if they have Wi-Fi or Bluetooth. They just assume the manufacturer has provided for their security. But once we\u2019ve enabled that type of tech, its more savory for an attacker.\u201d3. Commercial operating systems and softwareDomas noted that WannaCry (one of the most recent high-profile ransomware worms), \u201cwas not targeted at medical devices. Nothing about it was aimed at hospitals, but it affected a lot of them once it was able to get in.\u00a0\u201cThose attacks look for anything that is vulnerable. They saw devices that were vulnerable and attacked them.\u201dAnd even if it hadn\u2019t attacked specific devices, the encryption of everything in a hospital system could mean shutting down all devices that serve patients.Also, those systems may be obsolete. The Trend Micro survey found that more than 3 percent of exposed devices still used Windows XP, the Microsoft operating system that the company no longer supports, which means it no longer receives security updates.[ Related: Microsoft's emergency patch is no reason to hold on to Windows XP, Server 2003 ]4. Holding patient dataNot all devices hold patient data, Domas said, but those that do are vulnerable to having that data compromised, since they generally communicate directly with the Electronic Health Records (EHR) system.\u201cThere have been in-the-wild attacks on X-rays and PACS (Picture Archiving and Communication System),\u201d Domas said, \u201csome of which will contain a whole patient record.\u201cThe devices are designed to talk to your records, so anything that compromises them will have a connection to the rest of the data on a patient.\u201dGunawardhana agreed. \u201cPacemakers, insulin pumps, CT scanners, MRI machines and digital health records are at the greatest risk, given their interconnectivity to various medical platforms within the hospital setting,\u201d she said.\u00a0\u201cThere are many ways these devices could be hacked in which damage could be done to patients.\u201d5. Third-party connectionsClark said it is not so much the class of the device but its purpose. \u201cRemote monitoring is becoming incredibly popular,\u201d he said, because it helps existing staff oversee all the patients in hospitals where they might not be able to do it physically.\u201cBut if they use third-party servers, there is a high level of risk,\u201d he said.Domas agreed, noting that \u201cdevices that need to phone home\u201d depend on the security of that third party. \u201cIt punches a hole in your (the HDO\u2019s) security,\u201d she said, noting that this applies to any connection \u201cthat needs to leave the hospital.\u201dOne example is devices in ambulances that connect with a server at the hospital, so doctors in the hospital can see when a patient arrives what was already done in the ambulance. \u201cYou want that information to get to the doctor,\u201d she said, \u201cso there are good reasons for the device to have that capability,\u201d but it also means the communication is less secure than it might be inside the hospital system.PCs within the hospital network could even be considered a \u201cthird party.\u201d Camejo noted that many devices are controlled through PCs. \u201cEven if the device itself isn\u2019t vulnerable, \u201can attacker who takes over the PCs that administer these devices could gather passwords and then attack the devices directly,\u201d he said.