Manufacturers, providers fear attack likely on medical devices
Medical device manufacturers and the healthcare providers that use these devices are significantly unprepared to defend against cyber attacks on their devices, according to results of a recent survey on security preparedness.
The study by the Ponemon Institute show that both makers and users of medical devices are concerned about the likelihood that key medical equipment could be hacked. Two-thirds of device makers and 56 percent of providers say an attack on devices is likely during the next year, according to the Ponemon survey.
The Ponemon Institute conducted the study for Synopsys, which sells a platform to manage security and quality issues in software development. The survey covered 242 device makers and 262 healthcare delivery organizations in the North America market.
Some 80 percent of device firms and healthcare respondents identified the development of secure devices as a major challenge, contending that devices remain vulnerable because of coding errors, lack of expertise on secure coding practices and pressure to meet product deadlines.
Despite those complications, fewer than 10 percent of respondents test devices at least annually, with 53 percent of healthcare organizations and 43 percent of manufacturers report that they do no testing on devices, a finding that surprises Larry Ponemon, chair and founder of Ponemon Institute.
“I was blinded when we found that,” he asserts. “I would have assumed (providers and manufacturers would have) testing; you would think there would be more because of the cyber threat, but that doesn’t seem to be a driver for change.”
Ponemon puts the onus for change on healthcare organization management, not necessarily on chief information officers and chief information security officers, who are trying to do the right things but don’t have the resources or backing of senior leaders.
He says that, when an attack happens, the CISO often is the fall guy and is fired, even though he or she may have been pushing for higher security. But the main mission for device makers and healthcare organization is to produce and distribute the product.
The survey found that one-third of all respondents reported that no person or function in their organization is primarily responsible for medical device security. Only half of device makers and 44 percent of healthcare organizations follow Food and Drug Administration guidance on mitigating device security risks.
The challenges that providers face with medical devices, which include clinician mobile devices such as smartphones, are overwhelming. Clinicians, Ponemon says, depend on their devices to efficiently serve patients, yet security protocols or architecture built in devices rarely adequately protect data. Security funding increases often occur only after a serious attack, and encryption is not widely used with Internet of Thing devices.
Too often, Ponemon contends, providers assume that security of pacemakers, insulin pumps and other devices brought into the hospital is the responsibility of the vendor.
“Healthcare does not prioritize security as much as other industries,” he says. “Providers are thinking of patient safety, not security risks. We see pressures on providers to have products available to meet the needs of patients. Are we even capable of knowing if we’ve been hacked?”
Ponemon was pleased to see the Food and Drug Administration recently issue guidance on cybersecurity, which he calls “pretty decent but not prescriptive—it doesn’t tell you step-by-step what to do.” But he fears that following the guidance could be seen by device manufacturers and providers as just adding to existing costs.
“We are living in a world where everything is a connected device. As we have more connected Internet of Things devices, risks increase. IOT devices are easy to hack. In healthcare, this could kill people,” he says.
The full report is available here.