Study finds medical device security pros may have false sense of security

News by Robert Abel

A recent study surveying healthcare IT professionals found while the majority of them are very confident their connected devices are protected from cyber-attacks, there may be some disconnects between the perceived level of security and how secure medical devices are.

A recent study surveying healthcare IT professionals found while the majority of them are very confident their connected devices are protected from cyber-attacks, there may be some disconnects between the perceived level of security and how secure medical devices are.

The 2018 Zingbox Second Annual Connected Medical Device Survey sought input from more than 200 healthcare IT professionals and 200 clinical and biomedical engineers and found 87 percent of healthcare IT professionals are "confident" that their connected medical devices are protected in the event of a cyber-attack.

The survey also found this confidence is based on the prevailing misconception that traditional IT security solutions can adequately secure connected medical devices.

While 85 percent of respondents reported they were "confident" that they have an accurate inventory of all connected medical devices researchers called into question the findings since room-to-room auditing, the most common inventory process specified in the survey, is very resource-intensive, susceptible to human error, and nearly certain to be outdated by the time it’s completed.

This is because the static asset management solutions are only as accurate as the manual entries inputted into the system and quickly become obsolete as devices are relocated, updated, or retired.

"This survey revealed several disconnects: between perceived device security and actual security coverage available from traditional IT solutions; between the need for modern security solutions and the lack of budget supporting such initiatives; and between the perceived accuracy of device inventory and the manual processes required to maintain a comprehensive account of devices used," researchers said in the report. "These gaps between common perceptions and real-world security environments should serve as a wake-up call to the industry."

Researchers said the biggest hurdle continues to be IT professionals’ misperception that traditional IT security solutions can adequately protect connected medical devices and that this gives them a false sense of security that leaves them vulnerable to attack.

Unfortunately, researchers saw little change in respondents’ mindsets from those in last year’s survey.

The study also found 69 percent of healthcare IT professionals believe that traditional security solutions designed for laptops and desktops can adequately secure connected medical devices, and 64 percent of responders indicate the use of manual room to-room audits or static databases to inventory connected medical devices.

When asked if they felt that they had real-time information about which connected medical devices may be vulnerable to cyber-attack, approximately 79 percent of healthcare IT professionals believe they have real-time information on which connected medical devices may be vulnerable to cyber-attacks, while approximately 10 percent said no, and another 10 percent didn’t know. Money might be a problem as well.

Forty-one percent acknowledged that they either do not have a separate budget, or the allocated budget is not sufficient to secure connected medical devices and researchers said a lack of priority in budget allocation is particularly alarming, since it forces IT professionals to continue to rely on traditional security solutions rather than on deploying solutions designed specifically for connected medical devices.

In order to improve, researchers recommend users evaluate modern security solutions designed specifically for the unique characteristics of connected medical devices, seek out a security solution that interoperates with existing services and solutions to maximise ROI, and seek out solutions that extend beyond security to include device discovery, utilisation, onboarding, and operational insight.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events