- A disturbing 41 percent of healthcare IT professionals do not have a separate or sufficient budget for connected medical device security, according to a recent survey by Propeller Insights on behalf of Zingbox.
Despite this lack of resources, 87 percent of respondents are confident that their connected medical devices are protected from a cyberattack, according to the survey of 400 US-based healthcare IT decision-makers and clinical engineers. This is down slightly from the 90 percent of respondents who were confident about the security of their connected medical devices in Zingbox's 2017 healthcare security survey.
This confidence could stem from misperception about securing connected medical devices. More than two-thirds of respondents believe that traditional security solutions designed for laptops and PCs can secure connected medical devices. This result was down slightly from the 2017 survey, which found that 72 percent of respondents had this belief about traditional security solutions.
“Much of the healthcare professionals’ confidence on the device protection and real-time device vulnerability in this survey is based on the use of traditional IT security solutions. The false sense of security can be disastrous for healthcare organizations who will be caught unprepared for the next round of ransomware/malware attacks,” the Zingbox report opined.
Around 79 percent of respondents believe they have real-time information on which connected medical devices may be vulnerable to cyberattack. This compares with 76 percent of respondents who had the same belief in the 2017 survey.
For the first time, clinical and biomedical engineers were included in Zingbox’s healthcare security survey.
The survey found that 85 percent of clinical/biomed engineers are confident that they have an accurate inventory of their connected medical devices, although close to two-thirds of them rely on manual processes to inventory devices.
The most common manual process used to inventory devices is room-to-room audit, which is “very resource, susceptible to human error, and is certain to be outdated by the time it’s completed,” the report observed.
The second most common manual process, static asset management, is “only as accurate as the manual entry into the system,” the report added.
More than half of clinical/biomedical engineers said they must walk over to a device or call others to check whether a device is in-use before scheduling repairs. Many make the trip only to find out that the device is in-use by patients.
“Often there is no other recourse than to reschedule the service for another date and time hoping for a better outcome,” the report commented.
A recent HealthcareITSecurity.com feature found that experts from across the healthcare industry agree that collaboration and proactive preparation are vital for maintaining the security of medical devices that directly support quality patient care.
Healthcare organizations can stay ahead of malicious actors by engaging with longer-term industry efforts to improve security while taking immediate steps to close gaps in the medical device ecosystem, the experts noted.
“When it comes down to it, everybody really does want the patients to be treated safely and securely,” said MITRE IT and Cybersecurity Integrator Penny Chase. “But there’s a lot of work to be done, and the bad guys are always ahead of us. We really need to figure out how we can come together and better protect ourselves.”
She recommended that healthcare providers add procurement language in contracts with security requirements for device manufacturers, such as requiring devices to run antivirus software and be upgradable.
Chase also advised hospitals to segment their networks so that critical medical devices are on a separate network from the organization’s main network to ensure continuity in case a problem strikes the larger network and to prevent compromised medical devices from being used as an entry point into the larger network.