6 key reasons why providers worry about device security
A new report summarizes the confidence level of 148 HIT executives at provider organizations on their medical device security strategies. While some progress has been made, there’s still significant reason for concern, says the report, a collaborative between the College of Healthcare Information Management Executives, the Association for Executives in Healthcare Information Security and KLAS. Here is a look at the top device security challenges.
Unsecured medical devices
Citing patient safety as a top concern, most respondents are neutral about or not confident in their existing medical device strategy, with chief information officers (CIOs) and chief information security officers (CISOs) the most apprehensive. Common frustrations include limitations placed on providers by a lack of support from device manufacturers, such as recommendations that may conflict with delivering patient care. Providers also struggle to understand what assets exist, which assets have been patched, which are connected to the network and what systems the devices are talking to. The 39% of respondents who express confidence in their device security strategy point to their policies and procedures.
Safeguarding devices requires effort from providers and manufacturers, but providers view their vendors as a cause of device security issues. One CISO told the associations, “I think there needs to be a coordinated effort between the manufacturers, provider sites and the regulators. I wish there was some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out.” Further, 96% of organizations say root causes of medical device security issues stem from the vendor.
Confronting legacy devices
There is a gap between how long organizations expect to be able to use a device and how long vendors feel they can keep a device up-to-date and secure. Nearly all interviewed providers struggle with out-of-date operating systems or their inability to patch a device throughout its expected life cycle. But vendors often do not allow providers to patch devices themselves. Insufficient security controls, insufficient encryption and hardcoded passwords are seen as manufacturer-caused issues. Top manufacturer-related factors causing medical device security issues result from out-of-date operating systems and inability to patch, say 96% of providers.
Providers also confront organization factors that hinder better device security, particularly poor asset/inventory visibility and unclear security ownership. Providers may be at risk if they lack visibility into what devices are connected into their network, or what information is being sent and received by these devices. Lack of resources because of staff shortages and budget constraints compound the problem. Seventy-six percent of providers report that their resources are insufficient to properly secure devices.
Ineffective communication between providers and manufacturers often means patches and updates aren’t released when they should be, and then many providers spend considerable time finding updates when they are released. Many manufacturers may not allow customers to patch devices themselves.
Frustration with the FDA
When KLAS interviewed providers, it did not ask for comment on the Food and Drug Administration’s role in medical device security, but many providers raised the issue. Providers believe manufacturers use FDA policies as an excuse to not patch their devices, with some claiming patching would cause the device to undergo another 510(k) certification, which KLAS calls a common industry misconception. Even when regulations are clear, providers believe the FDA rarely holds manufacturers responsible when something goes wrong such as a data breach, with the providers paying the price and not the manufacturers. Sixty-seven percent of manufacturers also blame FDA policies.