Nightmare scenario: Only 5% of hospitals annually test medical device security
Pretty much anyone in the health IT or hacker communities could tell you that medical devices are security sieves and potential nightmares for hospitals. But new research paints an even bleaker picture.
“Only 9 percent of manufacturers and 5 percent of users say they test medical devices at least annually,” according to the report, Medical Device Security: An Industry Under Attack and Unprepared to Defend, conducted by the Ponemon Institute.
It’s worth noting that Synopsys, a vendor that sells security services, sponsored the report.
Such little testing comes despite the overall lack of confidence that devices are secure, widespread recognition of the risks unsecured systems pose, and only about 30 percent of manufacturers and hospitals indicating that they encrypt data associated with internet-of-things devices.
Unfortunately, device security won’t get better anytime soon. Only 17 percent of manufacturers said they are working to protect medical devices while 15 percent of healthcare providers are taking what Ponemon described as significant steps to do so.
The report also found that participants said their security budget would only increase after a hack or other cyberattack with life-threatening consequences, while 19 percent said that the potential loss of consumers to competing hospitals would draw more funding for device security.
And the general lack of accountability when it comes to testing and securing devices doesn’t help.
“While 41 percent of healthcare delivery organizations believe they are primarily responsible for the security of medical devices, almost one-third of both device makers and HDOs say no one person or function is primarily responsible,” according to the report.