HIMSS recently conducted a survey that confirmed that medical device security is a major priority at most healthcare companies. The problem, however, is less than half of healthcare companies have allocated a budget for dealing with the security of medical devices. Unless more funds are made available, the devices will continue to be vulnerable and will be an easy entry point into healthcare networks.
HIMSS sought input from 101 healthcare industry practitioners in the US and Asia for the Unisys sponsored study. 85% of survey participants said the security of medical devices was a strategic priority while 58% said it was a top priority; however, just 37% of survey respondents had a budget approved for implementing their cybersecurity plan for medical devices. Small and medium-sized healthcare companies were less likely to have the necessary funds available to implement their cybersecurity strategy.
Vulnerabilities in healthcare devices are often discovered. ICS-CERT has released a number of advisories about flaws in a wide array of medical devices of late. In many cases, vulnerabilities are discovered and corrected before cybercriminals exploit them. But the WannaCry attacks a year ago showed that is not always the case.
The participants in the HIMSS/Unisys survey were also asked about the security measures they had already implemented to keep their networks and medical devices secure. 85% of respondents said they have implemented firewalls and network access control systems. Only 53% confirmed they have separate networks for medical devices.
Unisys Life Sciences and Healthcare global senior director Bill Parkinson said all devices need strong protection and firewalls are not sufficient. If medical devices are to be secured, healthcare providers need to do more to secure their devices. “In this regard, microsegmentation, the ability to segment and restrict network and device data to pre-authorized groups of users and devices, can be a critical asset for hospitals and medical providers.”
The survey additionally looked into how healthcare companies gather and manage the data obtained via the medical devices. About 60% of healthcare companies claimed they were prepared for a device audit any time; however, less than one-third of healthcare providers were collecting device information in real-time. The value of getting real-time data should not be underestimated. Data analytics can help life sciences and healthcare companies minimize device downtime by making sure the devices are functioning correctly. It can also substantially enhance audit readiness and better advise future buying decisions.
While there have been many reports of vulnerabilities in medical devices, the exploitation of those flaws is not only theoretical. A recent MedCrypt-funded study at the University of California revealed some healthcare organizations have experienced data breaches as a result of unaddressed flaws in medical devices. Organizations that have experienced such breaches said between 100 to 1,000 patients had been negatively affected.