The results of a HIMSS survey has revealed that medical device security is a strategic focus for most healthcare groups, yet fewer than 50% of healthcare providers have an approved budget for addressing security weaknesses in medical devices.
For the survey, HIMSS questioned 101 healthcare sector practitioners in the United States and Asia for IT giant Unisys.
85% of those questioned in the survey said medical device security was a strategic focus and 58% said it was a high priority, yet only 37% of respondents had an approved budget set aside to adapt their cybersecurity strategy for medical devices. Small to medium healthcare suppliers were even less likely to have adequate funds available, with 71% of companies lacking the budget for medical device security enhancements.
Weaknesses in medical devices are often being discovered. ICS-CERT has released several recent advisories about weaknesse in a wide range of devices. In many instances, flaws are discovered and addressed before they can be exploited by cybercriminals, although the WannaCry attacks last year displayed just how much of a risk is involved – to organizations as well as patients.
A recent MedCrypt-funded study from the University of California Cyber Team has shown that some healthcare groups have encountered cybersecurity incidents involving unsecured medical devices that have had an adverse effect on patients. The groups that had experienced incidents involving compromised medical devices stated between 100 and 1,000 patients had been impacted.
Bill Parkinson global senior director, Unisys Life Sciences and Healthcare said: “While most life sciences and healthcare organizations understand the need to strengthen device security, many are struggling with legacy devices that were never designed to be internet-accessible – and with the explosion of ransomware and sophisticated cyberattacks like WannaCry, that can put both the provider and the patient at risk.”
Those who participated in HIMSS/Unisys survey were asked what security measures they had implemented to safeguard their medical devices. 85% said they had firewalls and network access control measures, although only 53% said they employed segregated networks for medical devices, even though segmentation of networks can help groups mitigate risk.
Parkinson said: “To ensure proper security, all devices require equally strong protection – firewalls alone are not enough in today’s environment. In this regard, microsegmentation, the ability to segment and restrict network and device data to pre-authorized groups of users and devices, can be a critical asset for hospitals and medical providers.”
The survey also looked into how healthcare providers are recording and handling data gathered by medical devices. Around 60% of healthcare providers said they were prepared for a device audit at all times, but less than a third of providers were recording device data in actual-time.
Parkinson said: “The importance of having access to real-time data cannot be underestimated. Not only can data analytics help life sciences and healthcare organizations reduce device downtime by ensuring devices are operational, it can significantly improve audit readiness and better inform future purchasing decisions.”