Premium Reports
Contact KLAS
 Download Report Brief  Download Full Report    Zoom in charts

Preferences

   Bookmark

Related Series

 No Related Series

Related Articles

 End chart zoom
Medical Device Security 2018 Medical Device Security 2018
* A page refresh may be necessary to see the updated image

Medical Device Security 2018
What Are the Greatest Challenges, and How Can They Be Overcome?

author - Joe VanDeGraaff
Author
Joe VanDeGraaff
author - Dan Czech
Author
Dan Czech
 
October 5, 2018 | Read Time: 6  minutes

While funding and strategy development have increased for security overall, healthcare organizations are bombarded from all sides by security attacks. Due to the patient-safety risks, many feel particularly vulnerable when it comes to medical device security. This report—a collaborative effort between the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), KLAS, and provider organizations—aims to examine the current state of the industry and identify best practices for improvement. 148 interviewed provider organizations shared how confident they feel in their medical device security strategies, the most common challenges they face, their perceptions of the security and transparency of major medical device manufacturers, and the best practices they leverage to overcome medical device security challenges.


klas cybersecurity research framework

Patient Safety a Top Concern with Unsecured Medical Devices

Citing patient safety as a top concern, most respondents are neutral about or not confident in their current medical device security strategy, with CISOs and CIOs more likely to report concern. The most common frustrations for unconfident organizations are the limitations placed on them by a lack of needed support from device manufacturers, including manufacturer recommendations that may conflict with the need to effectively deliver patient care. Almost as common are internal issues related to basic—but hard-to-master—security tasks, such as understanding what assets exist in their organization, which have been patched, which are connected to their network, and what systems those devices are talking to, all issues that get addressed as organizations develop their medical device security programs. About one-fifth of respondents feel that the inherent risks of medical devices—several of which are outside of their control—will prevent them from ever feeling confident.

The 39% of respondents who express confidence in their device security strategy’s ability to protect patient safety most often point to their security processes and policies—including access limitations, network segmentation, and regular device monitoring and risk assessment—as the source of their confidence. To support these processes and policies, many leverage security technologies, such as access controls, asset tracking, firewalls, and medical device monitoring. Strong executive support (financial and organizational) and cross-department collaboration also drive confidence, as evidenced by the fact that large IDNs, who more commonly have greater financial resources, are more likely to be confident in their strategies.


protecting patient safety and preventing care disruptions

Root Causes of Medical Device Security Struggles

Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers. Yet regardless of their level of confidence, interviewed organizations are almost unanimous in citing manufacturer-related factors as a cause of their medical device security issues. A CISO explained, “I think there needs to be a coordinated effort between the manufacturers, the provider sites, and the regulators. I wish there were some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out.”

root causes of medical device security issues

Manufacturer-Related Factors: Legacy Medical Devices a Universal Challenge

top manufacturer related factors causing medical device security issues

There is a gap between how long organizations expect to be able to use a device and how long vendors feel they can keep a device up to date and secure. As a result, nearly all interviewed organizations have struggled with out-of-date operating systems or the inability to patch a device throughout its expected life cycle. Currently, many manufacturers do not allow customers to patch devices themselves (or void warranties if they do). Insufficient security controls, insufficient encryption, and hardcoded passwords are each cited as manufacturer-caused issues by about half of respondents. Adding to provider organizations’ frustration, on average, almost one-third of medical device vendors decline to offer contract provisions favorable to security. However, some manufacturers have been receptive to standardized security contract language proposed by forward-thinking provider organizations, a practice becoming more commonplace in the industry.


provider perspective on the manufacturer fda relationship

Organizational Factors


Poor Asset Visibility & Ambiguous Security Ownership the Top Challenges

76 percent of provider organizations report that their resources are insufficient top organizational factors causing medical device security issues

Aside from manufacturer-caused issues, there are also organizational factors that hinder better medical device security. In this research, organizations most often highlight poor asset/inventory visibility and ambiguous security ownership. Organizations may be at serious risk if they lack visibility into what devices are connected to their network or what information is being sent and received by those devices. Additionally, shared ownership of medical device security can create confusion, and organizations with shared ownership are less likely to report confidence in their security strategy’s ability to protect patient safety. As one CISO explained, “When everybody is in charge, nobody is in charge.” Difficulties in these two areas often stem from a lack of adequate resources—whether that be in the form of staff shortages, budget constraints, process issues, or inadequate technology.


Device Manufacturer Performance Insights


Security a Perceived Struggle for All Device Vendors; BD and Spacelabs Seen as Most Transparent

In recent years, new threats, the overall volume of legacy devices, and an increase in the need for connectivity have shifted the medical device security landscape, leaving both manufacturers and provider organizations scrambling to catch up. On the manufacturer side, updates and patches often aren’t released as quickly as customers would like, older devices often aren’t supported, and because of ineffective communication, many organizations have to spend considerable time tracking down patches when updates are released. Following a reported vulnerability, BD transformed customer perceptions through proactive communication, improved follow-through, and the creation of a dedicated security team. Spacelabs has the highest percentage of customers describing them as transparent, and the limited number of interviewed customers feel well informed.


smart pump manufacturers

imaging manufacturers

patient monitoring manufacturers

Organization Best Practices


chevron icon Foundational Defenses: Technology & Due Diligence
The process of securing a medical device begins before the device is even installed and consists of due diligence overseen by solid governance and clear ownership. In completing their due diligence, organizations must perform risk assessments, ensure the inclusion of security provisions in their contracts, and ensure they receive a software bill of materials. Once the device is in place, network segmentation, antivirus software, and vulnerability scanning are some of the most common and basic technologies used to ameliorate risk. By disconnecting unnecessary medical devices from their network, organizations can mitigate risk and reduce the impact of a security event.

dark blue cheveron icon Patching Strategies
Out of necessity, organizations are resourceful when it comes to patching. They actively reach out to vendors to find out when patches are available; sometimes they patch devices themselves, and sometimes they have the vendor do it for them. They have also begun requesting that vendors use contract language that clearly outlines patching responsibilities and timelines.

patching strategies

dark blue cheveron icon Third-Party Software and Services
Nearly 75% of respondents use or plan to use third-party software or services to improve medical device security. Network access control (NAC) is most often used to segment networks and approve/deny access. Cisco is used most widely, followed by ForeScout and Aruba. To reduce costs and clearly define ownership, other organizations outsource their clinical engineering. Traditional clinical engineering vendors Aramark, Sodexo, and TRIMEDX have begun to also be used for device security. Some respondents use vulnerability-scanning tools from Tenable and Qualys. Up-and-comers CloudPost and Zingbox are gaining traction, offering comprehensive security platforms that help with network discovery, anomalous-behavior detection, blacklisting, and microsegmentation.

third party software services used for medical device security

Overall Healthcare Security Trends


overall healthcare security trends
author - Elizabeth Pew
Writer
Elizabeth Pew
author - Jess Wallace-Simpson
Designer
Jess Wallace-Simpson
author - Robert Ellis
Project Manager
Robert Ellis
 Download Report Brief  Download Full Report

This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2024 KLAS Research, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.