- With more healthcare providers implementing connected devices, medical device security should be a top priority in ensuring comprehensive cybersecurity. However, a recent survey indicates that healthcare organizations might not be doing enough to keep those devices protected from potential threats.
Fifty-six percent of surveyed healthcare delivery organizations (HDOs) believe an attack is likely in the next 12 months on one or more medical devices, according to a Synopsys study conducted by the Ponemon Institute.
Medical Device Security: An Industry Under Attack and Unprepared to Defend also found that 67 percent of medical device makers believe such an attack to be likely to occur in the next year.
Even with such concerns, only 5 percent of HDOs said they test medical devices at least once per year, while 53 percent stated they do not test devices at all. Just 9 percent of device manufactures said they conducted yearly tests, with 43 percent of manufacturers saying they did not test medical devices.
"The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organizations," Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. "According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority."
Medical devices are difficult to secure, according to the survey results. Eighty percent of medical device manufacturers and users said this was the case. One-quarter of respondents said the built in security protocols or architecture adequately protected clinicians and patients.
When medical device security testing does occur, malware and vulnerabilities are found. Device makers that do conduct tests review an average of 30 percent of medical devices and HDOs test an average of 22 percent of medical devices.
HDOs reported they find malware in an average of 13 percent of medical devices, while device manufacturers find an average of 18 percent of medical devices contain malware.
HDOs added that approximately 27 percent of medical devices contain significant vulnerabilities, with nearly one-third of device makers finding the same conclusion.
There are also a lack of quality assurance and testing procedures in medical devices, the survey found. Fifty-eight percent of HDOs reported this, with 53 percent of device manufacturers also citing it as a key issue.
Respondents also listed rushing to release pressures on the product development team as a reason why devices contain vulnerable code (50 percent of device makers, 41 percent of HDOs). Fifty-two percent of HDOs also said that accidental coding errors led to vulnerable code, with 47 percent of device manufacturers agreeing.
In terms of specific types of security for medical devices, only 29 percent of HDOs deploy encryption to protect data transmitted from medical devices. One-third of device makers also said that they utilize encryption for traffic among IoT devices.
Of the respondents that utilize encryption, 35 percent of HDOs and 39 percent of device makers use key management systems on encrypted traffic.
A manual process (i.e. spreadsheet, paper-based) was the most common type of key management system used for both HDOs and device manufacturers. Hardware security modules, a central key management system/server, and a formal key management policy (KMP) were the next most commonly utilized systems, respectively.
The survey also found that security budget increases are only like to occur after a serious hacking incident took place. Following a hacking incident, HDOs reported that their security budgets would likely increase because of new regulations or concern over a relationship with clinicians and other third parties.
More entities are utilizing mobile devices as well, which are potentially affecting the overall data security. Approximately half of HDOs – 49 percent – said the use of mobile devices in hospitals and other healthcare organizations is significantly increasing security risks.
The report also revealed the disturbing fact that most device makers and users do not disclose medical device privacy and security risks. Fifty-nine percent of HDOs do not share information about security risks with clinicians and patients and only 22 percent added that their organizations have an incident response plan in place in the event of vulnerable or attacked devices.
For device manufacturers, 60 percent admitted they do not disclose privacy and security risks, while 41 percent stated they have an incident response plan in place.
"These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address to safeguard the well-being of patients in an increasingly connected and software-driven world," Synopsys' Software Integrity Group Global Director of Critical Systems Security Mike Ahmadi said in a statement. "The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure."