Manufacturers, Healthcare providers fear attack likely on medical devices

Manufacturers, Healthcare providers fear attack likely on medical devices

The healthcare providers and the medical devices manufacturers that use these devices are primarily unprepared to defend against cyber attacks on their devices, in accordance to the outcomes of a recent survey on security preparedness.

The research by the Ponemon Institute indicates that both makers and users of medical devices are concerned about the likelihood that key medical equipment could be hacked. Two-thirds of device makers and 56% of healthcare providers say an attack on devices is likely during the next year, in accordance to the Ponemon survey.

The Ponemon Institute conducted the research for Synopsys, which sells a platform to handle security and quality problems in software development. The survey covered 242 device makers and 262 healthcare delivery organizations in the North America market.

Some 80% of device firms and healthcare respondents recognized the development of secure devices as a key challenge, asserting that devices remain vulnerable due to coding errors, lack of expertise on secure coding practices and pressure to meet product deadlines.

Despite those complications, fewer than 10% of respondents test devices at least yearly, with 53% of healthcare agencies and 43% of manufacturers report that they do no testing on devices, a finding that surprises Larry Ponemon, chair and founder of Ponemon Institute.

“I was blinded when we discovered that,” he contends. “I would have assumed (providers and manufacturers would have) testing; you would think there would be more due to the cyber threat, but that does not seem to be a driver for change.”

Ponemon puts the onus for change on healthcare organization management, not essentially on chief information officers and chief information security officers, who are attempting to do the right things but do  not have the resources or backing of senior leaders.

He claims that, when an attack happens, the CISO often is the fall guy and is fired, even though he or she may have been forcing for higher security. But the main mission for device makers and healthcare agency is to produce and distribute the product.

The survey discovered that one-third of all respondents reported that no person or function in their agency is primarily responsible for medical device security. Only half of device makers and 44% of healthcare organizations follow Food and Drug Administration guidance on mitigating device security risks.

The challenges that providers face with medical devices, which involve clinician mobile devices like smartphones, are overwhelming. Clinicians, Ponemon says, rely on their devices to efficiently serve sufferers, yet security protocols or architecture built in devices rarely adequately protects data. Security funding increases often occur merely after a serious attack, and encryption is not widely used with Internet of Thing devices.

Too often, Ponemon asserts, providers assume that security of pacemakers, insulin pumps and other devices brought into the hospital is the responsibility of the vendor.

“Healthcare doesn’t prioritize security as much as other industries,” he says. “Healthcare providers are thinking of patient safety, not security risks. We see pressures on healthcare providers to have products available to meet the needs of patients. Are we even capable of knowing if we have been hacked?”

Ponemon was glad to see the Food and Drug Administration recently issue guidance on cybersecurity, which he calls “pretty decent but not prescriptive—it does not tell you step-by-step what to do.” But he fears that following the guidance could be seen by device manufacturers and providers as just adding to existing costs.

“We’re living in a world where everything is a connected device. As we have more connected Internet of Things devices, risks increase. IOT devices are convenient to hack. In healthcare, this could kill people,” he claims.

The full report is available here.