A US survey of medical device manufacturers and healthcare delivery organisations has revealed a lack of confidence and alignment in securing medical devices.
The study: Medical Device Security: An Industry Under Attack and Unprepared to Defend - found that 67% of medical device manufacturers and 56% of healthcare delivery organisations believe an attack on a medical device built or in use by their organisations is likely to occur over the next 12 months. The survey also found that roughly one third of device makers and healthcare deliverers are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17% of device makers and 15% of providers are taking significant steps to prevent such attacks.
The Synopsys study, conducted by the Ponemon Institute, a leading IT security research organisation, aimed at identifying whether device makers and delivery organisations are in alignment about the need to address cybersecurity risks. The study surveyed approximately 550 individuals whose roles involve the security of medical devices, including implantable devices, radiation equipment, diagnostic and monitoring equipment, robots, as well as networking equipment designed specifically for medical devices and mobile medical apps.
“The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organisations,” says Dr. Larry Ponemon, Chairman and founder of the Ponemon Institute. “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority."
Other key findings from the study highlight:
- Building secure devices is challenging. 80% of device makers and healthcare delivery organisations report that medical devices are very difficult to secure. The top reasons cited for why devices remain vulnerable include accidental coding errors, lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.
- Lack of security testing. Only 9% of manufacturers and 5% of healthcare deliverers say they test medical devices at least once a year, while 53% of delivery organisations and 43% of manufacturers do not test devices at all.
- Lack of accountability. While 41% of healthcare delivery organisations believe they are primarily responsible for the security of medical devices, almost one-third of all those surveyed say no one person or function in their organisations is primarily responsible.
- FDA guidance is not enough. Only 51% of device makers and 44% of healthcare delivery organisations follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.
“These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address to safeguard the wellbeing of patients in an increasingly connected and software-driven world,” says Mike Ahmadi, Global Director of Critical Systems Security for Synopsys’ Software Integrity Group.
A complete copy of the “Medical Device Security: An Industry Under Attack and Unprepared to Defend” report can be found here: https://www.synopsys.com/software-integrity/resources/analyst-reports/medical-device-security-report.html. In addition, Synopsys and the Ponemon Institute are hosting a webinar on June 21 at 9 a.m. PT to discuss the key findings of the study https://www.brighttalk.com/webcast/11447/263163.
Recent cyber attacks on the NHS have caused major disruption and threats to data security. Cyber crime does not respect national boundaries so vulnerabilities highlighted elsewhere are likely to be equally applicable across the globe. The only way to fight these criminal attacks is for healthcare organisations and technology providers across the globe to join forces to ensure the systems and software in use remain at least one step ahead of those who would seek to make commercial gain or achieve maximum disruption from holding health services to ransom.