Despite Vulnerabilities, Organizations Aren’t Properly Securing Medical Devices
Medical devices are highly vulnerable to attack, say medical professionals and device manufacturers. Nevertheless, a surprisingly small percentage of health care delivery organizations (HDOs) and medical device-makers are taking significant steps to prevent such threats. Furthermore, patients have already suffered adverse effects from these attacks, including inappropriate treatment or therapy.
Those sober findings stem from a new study conducted by the Ponemon Institute entitled “Medical Device Security: An Industry Under Attack and Unprepared to Defend.” As reported by SecurityWeek, the survey included 550 respondents from health care delivery professionals to medical device-makers.
Attacks Underway on Medical Devices
The survey reveals 67 percent of device-makers believe an attack on one or more devices built by their organization is likely, and 56 percent of HDOs think such an attack is likely over the next 12 months.
Despite these concerns, however, only 22 percent of HDOs report that their organizations have a response plan in place for an attack on vulnerable medical devices, while 41 percent of device-makers say they have such a plan.
Making matters worse is that patients have already suffered adverse effects from cyberincidents In fact, 31 percent of device-makers and 40 percent of HDOs say they’re aware of such attacks. Of these respondents, 38 percent of HDOs say they’re aware of inappropriate treatment given to a patient because of an insecure device. And 39 percent of device-makers say attackers have taken control of their devices, the survey found.
Focus on IoT Hardware
As the Internet of Things (IoT) evolves from concept to reality, concerns are rising about the safety of connected devices. The U.S. Food and Drug Administration (FDA) in January asked health IT experts to offer draft guidance on the security and interoperability of medical devices. In a recent presentation, the FDA called the health care and public health critical-infrastructure sector “the largest attack surface for national security today.”
Securing these devices isn’t easy. In the Ponemon Institute study, 80 percent of medical device manufacturers and users say devices are very difficult to secure. And just 25 percent of respondents say the devices’ security protocols or architecture adequately protects clinicians and patients.
Better Protection Needed
The Ponemon study lists several reasons for the subpar security of medical hardware, including:
- Vulnerable code due to lack of quality assurance and testing procedures, as well as “rush to release” pressures on product development teams.
- Most organizations don’t encrypt IoT device traffic: Only 39 percent device makers do so, and just 29 percent of HDOs encrypt data transmitted from devices.
- Testing of devices is uncommon: Just 9 percent of manufacturers and 5 percent of users say they test their devices at least annually.
- Accountability is lacking: Nearly one-third of device-makers and HDOs say no one person or function is primarily responsible for the security of devices manufactured or used.
The medical hardware made or used by survey participants includes: robots, implantable devices, radiation equipment, diagnostic and monitoring gear and networking hardware designed specifically for medical devices and mobile apps.