- More than 60 percent of healthcare IT executives lack confidence that their current medical device security strategy protects patient safety and prevents disruptions in care.
The survey found that only 39 percent of respondents were confident or very confident in their medical device security program.
Around 18 percent said they had medical devices that were infected by ransomware or other malware in the last 18 months.
For the survey, KLAS polled 148 chief information officers, chief security information officers, chief technology officers and other professionals at provider organizations on behalf of the College of Healthcare Information Management Executives (CHIME).
The report found that there were around 10,000 connected medical devices per organizations, and approximately one-third of those devices were unpatched.
Cybercriminals were more likely to target larger organizations, but they also were more likely to have adequate security programs.
Organizations that were confident about their medical security programs said that solid security policies and procedures were the leading reason for their confidence, followed by strong technology. Those organizations that lacked confidence cited lack of manufacturer support as the top reason, followed by lack of asset and inventory visibility.
“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” said CHIME President and CEO Russell Branzell. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected. Our members are looking for ways to safeguard these devices, but they need resources and support to be effective.”
Almost all of the respondents said manufacturer-related factors were a root cause of medical device security problems. Nearly all said they struggled with out-of-date operating systems or the inability to patch devices, which are major security risks.
“Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers,” said KLAS President Adam Gale. “Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time consuming, toward developing a mature program. We also are seeing some manufacturers being more proactive and accountable.”
About one-third of respondents said FDA policies were unclear, which gave manufacturers ways to skirt responsibility, and a similar percentage said that even when policies were clear, the FDA didn't hold manufacturers accountable.
Three-quarters of respondents said that their resources were insufficient and too strained to adequately secure medical devices. Almost half cited poor asset and inventory visibility as a top organizational factor, followed by ambiguous security ownership and responsibility.
Although many remained concerned about their medical device security, they also reported improvements to security programs compared to a year ago. More than one-quarter of respondents considered their security programs to be fully functional, and close to half said they were developed or starting to function in 2018, compared to 16 percent and 41 percent, respectively, in 2017.
To help improve medical device security, the FDA teamed with MITRE to develop a medical device playbook, which was released earlier this month.
The playbook is designed to help healthcare organizations plan for and respond to cyberattacks against medical devices, ensure the effective operations of those devices, and protect patient privacy.
The playbook describes how healthcare organizations can develop a cybersecurity preparedness and response framework, including conducting device inventory, developing a baseline of medical device cybersecurity information, and conducting training exercises.
The manual supplements emergency management and incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents.
In developing the playbook, MITRE worked with the FDA and consulted with several healthcare providers, regional healthcare groups, researchers, state health departments, and medical device manufacturers.