Malware hits medical devices at 18 percent of healthcare orgs in last year

A new CHIME-KLAS survey of CIOs, CISOs and other security leaders finds that few are confident in their ability to protect patient safety and prevent disruptions from cybercriminals.
By Mike Miliard
10:24 AM
Share
CHIME booth at HIMSS18

Nearly one in five provider organizations (18 percent) polled for a new joint report from CHIME and KLAS have seen malware or ransomware infect or impact medical devices in the past year and a half.

WHY IT MATTERS

While few of those incidents ultimately resulted in compromised health information or an audit by the Office for Civil Rights, according to almost 150 chief information officers, chief information security officers, chief technology officers and other IT and infosec leaders polled for the report, those device vulnerabilities were a big concern to most of them.

Fewer than 40 percent of respondents said they are "very confident or confident" that their health systems' existing strategies were adequate to safeguard those devices, protecting patient safety and preventing interruptions in clinical workflow, according to the survey.


THE BIGGER TREND

The Medical Device Security 2018 report does suggest that progress is being made as hospitals and health systems try to protect their IT systems and connected devices from malicious remote access and corruption from malware.

More than one in four (27 percent) of respondents said their security programs were substantial and fully functional, and almost half (47 percent) said they were developed during this calendar year, reflecting a readiness and responsiveness to persistent and fast-evolving threats.

Still, "progress has been slow," according to CHIME and KLAS, which found the CIOs and CISOs they polled citing internal factors – more than 75 percent cited insufficient resources – as major challenges to devices.

Poor asset and inventory processes were some other hurdles respondents cited, as well as ambiguous org charts that created murky security ownership and responsibilities.

And there were also big complaints about medical device vendors and the regulatory agency that oversees them. A huge majority of those polled – 96 percent – said security vulnerabilities stemmed from manufacturer-related factors.

Just as many said they face challenges managing outmoded operating systems and patching devices. Nearly two-thirds of survey respondents said manufacturers shift blame to FDA regulations they claimed hinder them from improving device security. Another third, meanwhile, said lack of clarity with FDA policies gave manufacturers and excuse to duck responsibility for device flaws.

ON THE RECORD

"Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers," added KLAS President Adam Gale. "Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time consuming, toward developing a mature program. We also are seeing some manufacturers being more proactive and accountable."

"Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked," said CHIME CEO Russ Branzell in a statement. "In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected. Our members are looking for ways to safeguard these devices, but they need resources and support to be effective."

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com