A new study by the Ponemon Institute on behalf of Synopsys aimed to identify whether medical device manufacturers and healthcare delivery organisations (HDOs) agree about the need to address cyber-security risks.
Approximately 550 individuals from manufacturers and HDOs whose roles involve the security of medical devices were surveyed.
“The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organisations,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”
About one-third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device. Despite the risk, only 32 percent of all respondents are taking significant steps to prevent these attacks.
A majority (80 percent) of respondents reported that medical devices are rather difficult to secure. Respondents cited that devices remain vulnerable due to accidental coding errors, lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.
Only nine percent of manufacturers and five percent of HDOs say they test medical devices at least once a year. Meanwhile, 53 percent of HDOs and 43 percent of manufacturers don't test devices at all.
Forty-one percent of HDOs feel they are the primary ones responsible for medical device security, yet almost one-third of all respondents feel the primary responsibility belongs to no one person or function in their organisations.
Only 51 percent of device manufacturers and 44 percent of HDOs follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.
“These findings underscore the cyber-security gaps that the healthcare industry desperately needs to address to safeguard the well-being of patients in an increasingly connected and software-driven world,” said Mike Ahmadi, global director of critical systems security at Synopsys' Software Integrity Group. “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”
Commenting on the findings, Tim Erlin, vice-president of product management and strategy at Tripwire, told SC Media UK: "The fact that the majority of both manufacturers and providers believe that more attacks on these devices are likely should be a clear indicator that medical device security is a pervasive problem.
“It's not surprising that the vast majority of respondents see attacks as inevitable, given that less than 10 percent actually test the security of these devices at least annually. It's shocking to think that the devices delivering care to patients simply aren't tested for security.
“The problems surrounding medical device security are varied, but they're not new. Other industries have struggled with similar challenges around testing, disclosure of security issues and alignment between vendors and users. It requires a focused effort to address these challenges head on. It's unacceptable to put patient care in the hands of insecure and untested devices."