When it comes to securing devices, businesses are facing quite the challenge. 90% of IT security pros find that connected devices will be a major security issue this year and for medical devices, the picture is looking even harder.

A recent Ponemon Institute study found that 67% of medical device makers state they expect an attack on their devices within the next 12 months. While 56% of healthcare delivery organizations (HDOs) anticipate an attack on their devices within the next 12 months.

  • Devices are vulnerable, yet organizations aren’t taking actions to prevent attack.  Ponemon’s study finds that only 17% of medical device maker companies are taking significant steps to prevent an attack on their medical devices.
  • And only 15% of HDOs are taking significant measures to mitigate attack.

As technology and digital move forward devices are growing in number and organizations must adapt and innovate; but the budget that’s been set aside doesn’t seem to include the necessary steps required to ensure medical devices are secure.

  • Gartner predicts that by 2020 more than 25% of identified attacks in businesses will involve IoT, although IoT will account for less than 10% of IT security budgets.

Even though these numbers are for IoT devices, medical devices fall within that category seeing as they can be connected to a network and work with a software that needs updating.  With this in mind, the fact that only 10% of an organization’s security budget will be spent for securing these devices reconfirms the challenge with device security.

Limited budget is no news to you probably, but in addition to this challenge the top three challenges mentioned by the healthcare executives who took Ponemon’s survey include: lack of knowledge and training in building secure code, accidental coding errors, and pressure to meet production deadlines.  Not to mention that for healthcare getting Food and Drug Administration (FDA) approval for a medical device can take anywhere from 18 months to three years.

According to the Ponemon report: lax security testing, a lack of accountability and the FDA’s cybersecurity guidance versus mandatory requirements have been detrimental to establishing strong cybersecurity on medical devices; but there is something organizations can do to minimize their risks that doesn’t involve the construction phase of medical devices per se.

Let’s start with another statistic from the Ponemon study that points to what healthcare organizations aren’t doing that they can do: 43% of medical device manufacturers and 53% of HDOs do not conduct cybersecurity testing on their medical devices. Meanwhile, only 9% of device makers and 5% of HDOs conduct medical device testing at least once a year.

Cybersecurity testing is something that can be included if an organization invests in a holistic security approach.  This means onboarding a program that ensures you conduct testing of your network and the devices connected to it so that you can spot vulnerabilities and address them.

A complete cybersecurity posture also includes assessing an organization’s existing security program, creating a plan to address current needs and putting a remediation plan in place, as well as ensuring compliance requirements are being met (for healthcare that’s HIPAA), and quarterly consulting to provide knowledgeable staff on cybersecurity topics that will notice vulnerabilities that require fixing.

If you’re unclear on where your security posture stands and what the state of your medical device risks are looking like, get in touch.

Schedule your free cybersecurity consultation to get ahead of your risks.

 

Photo Courtesy of buttet