Nightmare scenario: Only 5% of hospitals annually test medical device security

Both device manufacturers and providers lack confidence that devices are secure and most won’t get a bigger budget to protect them until a breach strikes, Ponemon Institute says.
By Tom Sullivan
10:58 AM
Share
medical device security

Pretty much anyone in the health IT or hacker communities could tell you that medical devices are security sieves and potential nightmares for hospitals. But new research paints an even bleaker picture.

“Only 9 percent of manufacturers and 5 percent of users say they test medical devices at least annually,” according to the report, Medical Device Security: An Industry Under Attack and Unprepared to Defend, conducted by the Ponemon Institute.  

It’s worth noting that Synopsys, a vendor that sells security services, sponsored the report.

[Also: Here's what it was like to host a security forum when WannaCry hit the globe]

Such little testing comes despite the overall lack of confidence that devices are secure, widespread recognition of the risks unsecured systems pose, and only about 30 percent of manufacturers and hospitals indicating that they encrypt data associated with internet-of-things devices.

Unfortunately, device security won’t get better anytime soon. Only 17 percent of manufacturers said they are working to protect medical devices while 15 percent of healthcare providers are taking what Ponemon described as significant steps to do so. 

The report also found that participants said their security budget would only increase after a hack or other cyberattack with life-threatening consequences, while 19 percent said that the potential loss of consumers to competing hospitals would draw more funding for device security.

And the general lack of accountability when it comes to testing and securing devices doesn’t help.

“While 41 percent of healthcare delivery organizations believe they are primarily responsible for the security of medical devices, almost one-third of both device makers and HDOs say no one person or function is primarily responsible,” according to the report. 

 

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn