Gap between perception, reality of connected medical device security, survey finds

Dive Brief:

As use of connected medical devices abounds in healthcare, a new Zingbox survey finds a worrying disconnect between IT professionals’ confidence that devices are protected from cyber attacks and the security of those devices.
Nearly eight in 10 respondents to the Healthcare Security Survey said they have real-time data about which connected medical devices are vulnerable to cyber attack, and 87% expressed confidence the devices could safely withstand an attack.
However, more than two-thirds of surveyed clinical and biomedical engineers and IT/IS professionals believe traditional security measures for laptops and PCs will suffice to secure connected technologies against cyber criminals — and that's just not the case.

Dive Insight:

Despite frequent cyber and ransomware attacks on healthcare organizations, eight in 10 hospitals and health systems lacked a C-suite leader to manage enterprise-wide cybersecurity in 2017 and only 11% planned to add one this year, according to Black Book Market Research.

Medical devices may be used for years with software that has not been updated or patched, making them particularly vulnerable to malicious attacks. A recent McAfee Labs investigation showed that cybercriminals could tamper with vital signs on hospital networks using a patient monitor and central monitoring system, causing patients to get unnecessary tests or the wrong medication.

To prevent such attacks, the McAfee team suggested vendors encrypt network traffic between connected medical devices and strengthen authentication. They also recommended that hospitals operate devices on an isolated network with strict network-access controls.

Exacerbating concerns is the accuracy and maintenance of connected medical device inventories. Nearly two-thirds of clinical and biomedical engineers told Zingbox they rely on manual processes to inventory connected devices in their organization. And just over a fifth said they perform preventative maintenance on devices based on usage rather than a fixed schedule.

More than half of clinical and biomedical engineers (55%) reported needing to physically go to a device or get others to check on it before scheduling repairs, only to find, in many cases, that a patient is using the device.

“Despite the recent progress of the healthcare industry, the survey exemplifies the continued disconnect between perception and the actual device protection available from legacy solutions and processes. Unfortunately, much of the current perception stems from the use of traditional solutions, processes and general confusion in the market,” CEO and founder of Zingbox Xu Zou said in a statement. “Only by adopting the latest IoT technology and revisiting decades-old processes, can healthcare providers be well prepared when the next WannaCry hits.”

To enhance device security, Zingbox recommends organizations consider security programs specifically intended for connected medical devices and suggests looking for ones that include functionalities like onboarding, utilization and operational insight as well.