- Despite recognizing medical device security as a priority, only 37 percent of more than 100 healthcare practitioners had budgets to implement their device security strategy, according to a HIMSS survey.
Most respondents (85%) said they used firewalls and network access controls at their organization, while around half (52%) said they used segregated networks for their medical devices.
"It is extremely disconcerting that even though most healthcare providers agree that device security is a top priority, only a few have put budget in place to support it," said Global Senior Director for Unisys Life Sciences and Healthcare Bill Parkinson.
“While most life sciences and healthcare organizations understand the need to strengthen device security, many are struggling with legacy devices that were never designed to be internet-accessible — and with the explosion of ransomware and sophisticated cyberattacks like WannaCry, that can put both the provider and the patient at risk," he added.
The survey also asked respondents how their organization captures and manages the data gathered by medical devices. Only around one-third said they were capturing device data on a real-time basis, and a similar percentage used analytics captured from device data for medical device purchases.
“The importance of having access to real-time data cannot be underestimated. Not only can data analytics help life sciences and healthcare organizations reduce device downtime by ensuring devices are operational, it can significantly improve audit readiness and better inform future purchasing decisions,” Parkinson concluded.
The survey found that a majority of large hospitals and healthcare systems manage their medical devices internally, compared with 39 percent for small to mid-sized hospitals and healthcare systems.
Six out of ten providers reported that the IT and clinical engineering teams are both responsible for medical device security. Two-thirds of providers make medical device purchases based on recommendations from the facilities team or clinical staff, according to the survey.
Highlighting the importance of medical device security, ICS-CERT issued a June 5 advisory warning about security vulnerabilities in Philips’ IntelliVue patient and Avalon fetal monitors that could result in a delay of diagnosis and treatment of patients.
The vulnerabilities — improper authentication, information exposure, and stack-based buffer overflow — could enable an attacker to read/write memory and induce a denial of service through a system restart, the advisory warned.
The Philips devices affected by the vulnerabilities are IntelliVue patient monitors MP series (including MP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M, IntelliVue patient monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only), and Avalon fetal/maternal monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0, and J.3.
Oran Avraham of Medigate reported the Philips device vulnerabilities to the National Cybersecurity and Communications Integration Center (NCCIC).
NCCIC recommended that device users take the following defensive measures:
• Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet
• Locate all medical devices and remote devices behind firewalls and isolate them from the business network
• Use secure remote access methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available and that they are only as secure as the connected devices
NCCIC said organizations should perform an impact analysis and risk assessment prior to deploying defensive measures.
Philips said it will provide a remediation patch for supported versions of the devices, as well as an upgrade path for all versions. The company said it will communicate service options to all affected install-base users.
In its product security advisory, Philips said that the vulnerabilities cannot be exploited without an attacker first attaining local area network (LAN) access to the medical device.
The device maker has received no reports of exploitation of these vulnerabilities or incidents from clinical use and is not aware of public exploits that specifically target these vulnerabilities.