The U.S. healthcare system is awash in wireless medical devices.
But both medical device manufacturers and healthcare providers don’t see their devices as anywhere near safe from a data breach, ransomware attack or any other form of cybercrime, according to new research from the Ponemon Institute.
In fact in a survey of 550 executives of executives at medical device manufacturing companies and healthcare organizations, 67% and 56%, respectively, of device maker and provider executives believe an attack on their devices will happen in the next year. But only 17% of device manufacturers and 15% of healthcare executives are taking significant steps to prevent a cybercrime.
“The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organizations,” says Ponemon chairman and founder Larry Ponemon. “According to the findings of the research, attacks on devices are likely and can put patients at risk.”
The study included individuals from manufacturers and healthcare delivery organizations whose roles involve the security of medical devices, including implantable devices, radiation equipment, diagnostic and monitoring equipment, robots, as well as networking equipment designed specifically for medical devices and mobile medical apps.
Other key findings include:
- Building secure devices is challenging.80% of device makers and healthcare providers report that medical devices are very difficult to secure. The top reasons cited for why devices remain vulnerable include accidental coding errors, lack of knowledge/training on secure coding practices and pressure on development staff to meet product deadlines.
- Lack of security testing.Only 9% of manufacturers and 5% of providers say they test medical devices at least once a year, while 53% of providers and 43% of device makers do not test devices at all.
- Lack of accountability.41% of providers say they are primarily responsible for the security of medical devices, but almost one-third of both device makers and providers say no one person or function in their organizations is primarily responsible.
- Government guidance is not enough.Only 51% of device makers and 44% of providers follow current guidance from the Food and Drug Administration to mitigate or reduce security risks in medical devices.
- Mobile is a big security factor. 60% of healthcare providers and 49% of device makers say mobile devices and wireless medical equipment is significantly increasing the risk of a cybercrime.
Despite the knowledge that their medical devices are vulnerable to cybercrime, most manufacturers and provider organizations don’t expect to make major change until an attack does occur.
“Respondents believe their organizations would increase the budget only if a potentially life-threatening attack took place,” the report says. “Only 19% of healthcare delivery organizations say concern over a potential loss of customers or patients due to a security incident would result in more funds for medical device security.”
Ponemon Institute, a security research and consulting company, did the survey in conjunction with security services company Synopsys Inc.
“These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address to safeguard the well-being of patients in an increasingly connected and software-driven world,” says Synopsys’ Software Integrity Group global director of critical systems security Mike Ahmadi.
Favorite