Is Medical Device Security Keeping You up at Night?
It is almost impossible these days to read an article about cybersecurity in healthcare that doesn’t list medical device security as one of the top (if not the top) concern for healthcare organizations today. Just over the past 12–18 months, there have been several widely publicized vulnerabilities across multiple device manufacturers. In fact, organizations like PwC and others have listed medical device security as one of the top issues facing the healthcare industry today. In a recent conversation I had with the CISO of a large IDN, that CISO shared, “We are working on an initiative right now because medical device security is clearly an area of attention that is needed. For healthcare, this is key. We are not talking about medical information and medical records anymore. We are talking about patient care.”
Medical device security is important for many reasons, but the two most frequently mentioned to me as the critical reasons healthcare organizations are prioritizing medical device security higher on their lists are patient safety and protected health information (PHI) loss or data breaches.
- Patient Safety – Security professionals have a heightened concern over the possibility that a hacker could gain access to a medical device and cause physical harm to a patient by altering specifications on the device.
- PHI Loss/Data Breaches – Devices that are connected to the network, even when that network is segmented, introduce a potential point of entrance for a hacker intending to access PHI. Medical devices present an interesting challenge because they frequently have outdated operating systems, hardcoded passwords, a lack of proper authentication, or insufficient security controls.
The sheer volume of the problem—organizations often have thousands or tens of thousands of medical devices connected to their networks—attributes to the growing concern over having a solid security program in place to help prevent attacks. When this is compounded with the human element of either malicious or unintentionally harmful behavior by employees and the constant threat of attack from the outside, it is no wonder that medical device security is one of the pressing concerns on the mind of healthcare CISOs.
In another recent conversation, I spoke with a CIO who leads a security program of a community hospital and he shared a perspective of how critical it is that the medical device security problem gets solved:
“Medical device security is an area of very high concern. I think that there is a significant amount of risk that has not been fully appreciated by the FDA or the manufacturers, frankly.
Manufacturers are in a difficult situation as well because they have a lot of equipment that has been out for many years that is still in production and vulnerable, but even new products still have learning curves for trying to educate the manufacturers on what should and should not be done in terms of the basic things, such as having default passwords on equipment. Now that so much of the functionality is wireless and on the network, there is another level of risk in terms of patient safety.
I think there are a lot of things that need to be done, but I would say that we are probably just like everybody else; we feel that we are kind of spitting into the wind in terms of our risk assessment. We understand that there is a problem. We have our clinical-engineering staff working to help us understand which particular product lines are going to be the most difficult to mitigate. I think medical device security is a high-risk area for healthcare, and I am not sure that any one institution can really do a lot.”
To help give insight around some of these challenges and how they are being addressed, KLAS, in conjunction with CHIME and the Association for Executives in Healthcare Information Security (AEHIS), is conducting a study to help provide some clarity to the healthcare industry around a few key medical device security questions:
- What is the state of medical device security in the healthcare industry today? What are the most common challenges?
- Which device manufacturers are most transparent regarding security risks and vulnerabilities? How secure are the devices?
- Which third-party software vendors and services firms are organizations leveraging to help address medical device security challenges?
- How has the healthcare industry progressed in cybersecurity in recent years?
If you are a security professional at a healthcare organization and would like to have your voice included in our research, or if you are a device manufacturer or third-party vendor or firm that would like to learn more, I invite you to reach out to me to participate in KLAS’ study.
Dan Czech, Director of Cybersecurity Market Analysis