- Individuals working in the Internet of Things (IoT) connected medical device ecosystem are most concerned with potential medical device cybersecurity issues, according to a recent Deloitte poll.
Nearly one-third of respondents – 35.6 percent – stated that their organization experienced a cybersecurity incident in the past year. Approximately 30 percent of those surveyed said identifying and mitigating potential risks in legacy and connected devices was the greatest cybersecurity challenge.
Deloitte surveyed more than 370 professionals during a May 2017 webcast. The polled individuals worked in organizations operating in the medical device/IoT ecosystem.
The reported IoT medical device cybersecurity concern for for manufacturers, providers, and regulators was not surprising, explained Russell Jones, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP.
“Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls,” Jones said in a statement. “Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product’s entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution.”
Jones added that collaboration between providers, manufacturers, and suppliers will be essential when it comes to closing those cybersecurity gaps. Feedback and information sharing is important for the industry, and is necessary to address the cybersecurity problem.
Respondents also cited the following IoT medical device challenges:
- Embedding vulnerability management into the medical device design phase (19.7 percent)
- Monitoring and responding to cybersecurity incidents (19.5 percent)
- Having a lack of collaboration on cyber threat management throughout the connected medical device supply chain (17.9 percent)
The poll also found that only 18.6 percent of respondents feel that their organization is “very prepared” to address medical device cybersecurity litigation, internal investigations or regulatory matters from incidents in the next 12 months.
“As regulatory, litigation, and internal investigation activities start to focus on post-market cybersecurity management, leading organizations are taking a more forensic approach to discerning the timeline and size of cyber incidents so the impact to intellectual property, client data and other areas can be addressed more quickly,” stated Scott Read, Deloitte Risk and Financial Advisory principal, Deloitte Transactions and Business Analytics LLP. “Forensic analyses responding to regulator, litigant, or whistleblower concerns may even help predict the next moves of cyberattackers.”
Medical device cybersecurity is a top concern for healthcare stakeholders, as well as lawmakers. A bill proposed in early August 2017 aims to provide greater cybersecurity protections for medical devices.
Senator Richard Blumenthal introduced The Medical Device Cybersecurity Act of 2017 (S. 1656), saying that medical device security is in critical condition.
“My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks,” Blumenthal said in a statement. “Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”
Ransomware and other cybersecurity threats will likely only continue to evolve, he maintained. Manufacturers with unsecured devices could knowingly or unknowingly sell vulnerable products that could potentially put patient data at risk.
Blumenthal added that the bill will increase medical device cybersecurity transparency by creating a cyber report card for devices and require that testing be performed before devices are sold.
CHIME and AEHIS voiced their support for the legislation, and cited networked medical device security as a key pain point.
“The recent cyber attacks underscore the importance of this legislation,” AEHIS Board Chair Deborah Stevens said in a statement. “WannaCry and Petya shined a bright light on the vulnerabilities in the healthcare sector and more specifically with medical devices. On behalf of the AEHIS membership we applaud Senator Blumenthal for taking on this important issue.”