Health IT, Devices & Diagnostics

67 percent of device makers think an attack on their products is likely in the next year

How aware of potential attacks are medical device makers? Pretty aware. But are they taking big steps to do anything about it? Not so much.

cybersecurity, lock, digital, cyberattack

By this point, it’s not altogether surprising that hackers are going after medical devices. And this is only exacerbated by the fact that security-wise, devices aren’t completely safe. A recent report from security firm WhiteScope found more than 8,000 vulnerabilities in pacemakers.

A new report from Ponemon Institute unravels the topic a bit further, even with its telling title: “Medical Device Security: An Industry Under Attack and Unprepared to Defend.”

presented by

As part of its research, Ponemon surveyed two groups of participants in March 2017: 242 individuals who are involved or have a role at a device maker and 262 individuals who are involved or have a role in a healthcare delivery organization. Respondents from both groups held various positions, from senior executives/VPs to managers to engineers.

Ponemon questioned participants on a variety of topics related to devices and security.

The results?

Two-thirds (67 percent) of device makers believe an attack on one or more of their devices is either likely or very likely. Fifty-six percent of HDOs felt the same.

sponsored content

A Deep-dive Into Specialty Pharma

A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.

Yet only 17 percent of device makers and 15 percent of HDOs said they are taking significant steps to prevent attacks on medical devices. Another 35 percent of device makers and 29 percent of HDOs said they’re taking some steps to thwart attacks. But 39 percent of device makers and 45 percent of HDOs claimed they’re not taking any steps at all.

This could be because all employees don’t feel comfortable speaking up about device security. Only 43 percent of device makers and 61 percent of HDOs reported they feel empowered to raise concerns about device security at their organizations.

It could also be because organizations aren’t exactly heeding the FDA’s advice. Fifty-one percent of device makers and 44 percent of HDOs follow guidance from the FDA to mitigate security risks in devices.

According to Ponemon Institute, device makers spend an average of $4 million on the security of their devices each year, while HDOs spend an average of $2.4 million annually. Naturally, a budget increase would be one way to go about amping up security protocol. But that seems unlikely unless a serious hacking event occurs. Sixty-one percent of device makers and 59 percent of HDOs said a major hacking incident would influence their organization to increase its security budget. Another 40 percent of device makers and 54 percent of HDOs said new regulations would convince their organization to enlarge its budget.

The prevalence of attacks and insecure medical devices can result in patients experiencing adverse events. Alarmingly, a decent portion — 31 percent of device makers and 40 percent of HDOs — said they’re aware of such events.

But even though the respondents were aware that patients are impacted, 40 percent of device makers and 44 percent of HDOs don’t know what the adverse event or harm was.

Photo: mattjeacock, Getty Images