Dive Brief:

• Nearly one in five health IT executives reported a malware or ransomware attack affected medical devices at their provider organizations in the last 18 months, according to a new report by the College of Healthcare Information Management Executives (CHIME) and Klas Research.
• Only 39% of survey respondents said they were confident or very confident that their organization’s current cybersecurity strategy protects patient safety and prevents disruptions in care.
• Most (96%) cited factors related to manufacturers as a root cause of medical device security issues, with out-of-date operating systems or unavailability of patch solutions being major security risks.

Dive Insight:

FDA believes a cyber attack on medical devices remains a persistent threat, more than a year after the May 2017 WannaCry global ransomware attack froze computers at U.K. hospitals and affected over 200,000 businesses and organizations across more than a hundred countries.

The agency last month said it would launch a cybersecurity playbook for healthcare providers, and earlier this year it released a medical device safety action plan calling for new authority to build security updates and patch capabilities into products at the design stage. Congress is also concerned, especially about older legacy technologies, and has issued a request for information on how to improve security in the medical device sector.

The CHIME-Klas researchers interviewed 148 chief information officers, chief security information officers, chief technology officers and other professionals at provider organizations about how they are handling the challenges of securing medical devices.

FDA’s role in medical device security was often raised as an issue by the survey participants, with almost two-thirds claiming manufacturers blame FDA policies for preventing them from making devices more secure. About a third said FDA policies are unclear, and another third said FDA does not hold manufacturers accountable.

Three of four (76%) respondents said their organizations' resources are too strained to adequately secure medical devices. Almost half cited poor asset and inventory visibility as a key problem, followed by ambiguous security ownership and responsibility. About a quarter (27%) said their security programs are fully functional and 47% said they were developed or starting to function in 2018, up from 16% and 41% in 2017.

Respondents said manufacturers of almost one-third of their medical devices have told them the products cannot be patched.

Though 18% reported ransomware or malware had impacted medical devices at their organizations, few of those events compromised patient health information or required government intervention, the report said.

Top reasons for lack of confidence in medical device security were: lack of manufacturer support (37%), lack of asset/inventory visibility (36%), patching issues (31%), still developing program (27%) and inherent risk/no solution (19%).

The top manufacturer-related factors cited as causing device security issues were: out-of-date operating systems/inability to patch (93%), insufficient security controls (55%), hard-coded passwords (49%), lack of encryption (47%) and other manufacturing issues (20%).