HIT execs affirm medical devices grow as security risks

Malware’s and ransomware’s reach is extending to medical devices, according to a survey of top healthcare IT executives.

A survey by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of provider organizations had medical devices affected by malware or ransomware in the last 18 months.

The survey underscores increasing industry concern about the vulnerability of connected medical devices, such as infusion pumps, as the nation grapples with concern that these devices can be hijacked by hackers to jeopardize patient safety or potentially provide access to provider networks.

Of the HIT executives reporting medical device incursions, they said few of the incidents resulted in compromised protected health information or an audit by the Office for Civil Rights of the Department of Health and Human Services.

A total of 148 chief information officers (CIOs), chief security information officers (CISOs), chief technology officers (CTOs) and other professionals at provider organizations were interviewed about their medical device security programs for the report.

Only 39 percent of respondents said they were very confident or confident that their current strategy protects patient safety and prevents disruptions in care.

Results from the survey suggest that, while organizations are making progress in developing and hardening their overall security programs, progress has been slow when it comes to securing medical devices.

“Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers,” says Adam Gale, president of KLAS. “Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time consuming,. We also are seeing some manufacturers being more proactive and accountable.”

According to the benchmarking report, “Medical Device Security 2018,” respondents cited patient safety as their top concern with unsecured medical devices. Larger organizations were more likely to be targeted by cyber criminals, but they also were more likely to have mature security programs.

Organizations that were confident about their medical security programs cited solid security policies and procedures as the leading reason for their confidence, followed by strong technology. Those that lacked confidence in their medical device security cited lack of manufacturer support as the top reason, followed by lack of asset and inventory visibility.

Overall, 96 percent identified manufacturer-related factors as a root cause of medical device security issues. Nearly all respondents reported struggles related to out-of-date operating systems or the inability to patch devices, which are major security risks. On average, respondents said the manufacturers for almost one-third of their medical devices have told them that they cannot be patched.

Branzell-Russ-CROP2.png

Respondents also say internal factors are a concern. Some 76 percent reported that their resources are insufficient and too strained to adequately secure medical devices. Almost half cited poor asset and inventory visibility as a top organizational factor, followed by ambiguous security ownership and responsibility.

“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” says Russell Branzell, president and CEO of CHIME. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more interconnected. Our members are looking for ways to safeguard these devices, but they need resources and support to be effective.”

For reprint and licensing requests for this article, click here.