Shifts in Medical Device Security - Cover

Shifts in Medical Device Security

As KLAS digs deeper into medical device security, I have been struck by several shifts in the medical device marketplace.

Contracting: The Leverage of Large Providers

In our upcoming report, we ask about device manufacturers and the contract language they typically use with potential customers. Essentially, we want to learn from providers what percentage of their manufacturers have declined to include favorable security language and provisions in their contracts. Favorable security language could be anything; it could include promises to release a security patch on known vulnerabilities within 30 or 60 days after discovery to language around the organizational costs of maintenance and patching for security work.

Healthcare organizations must rely on their vendors to create security patches for several reasons: the organizations might not have a robust enough team internally, and some manufacturers even require they do the patches themselves. Often this means providers have to pay additional money, which puts them at the mercy of a device manufacturer’s schedule.

What we’ve started to uncover in our early analysis of the data is that there are differences depending on the size of the provider organization. 

Our data shows that smaller organizations typically work with far fewer manufacturers that are willing to include security provisions in their contract language. Large, multi-hospital IDNs often have much greater success in getting this kind of pro-security language written out in their contracts.

This makes sense when you consider the buying power of these large healthcare organizations. Manufacturers risk losing multimillion-dollar contracts if they refuse to include favorable language int their contracts; small community and critical-access hospitals don’t have that type of leverage.

Pointing Fingers: Passing the Buck on Security Patches

The need for favorable security language becomes readily apparent when I speak with providers who have antiquated devices within their system. As devices age, manufacturers become increasingly unwilling to support their old technology. Beyond that, there’s a feeling among providers that they’re getting two different stories from two different audiences.  

Manufacturers often tell providers that they cannot update and patch equipment because it will no longer be FDA compliant and will need to go through the 510(k) process again. However, the FDA’s guidance suggests if there’s a known risk, and fixing it doesn’t adversely impact the functionality of the machine above an acceptable level of risk, they expect manufacturers to keep it up to date.

So, to providers it feels like the manufacturers and the FDA are pointing fingers at each other while providers are caught in the middle with potential security risks. That is an understandable feeling; at the end of the day, if a breach occurs and affects patient safety and information, the blame will fall on the provider.

KLAS can hopefully start to leverage the relationships we have with both providers and manufacturers to bring some transparency about what customers are feeling. We’re also helping the FDA to gain a better understanding of the misperceptions in the industry. By providing data to these parties, we can ideally affect some change. And change has to happen; otherwise, providers will be left stuck between a rock and a hard place.

Medical Device Security: Keeping Providers Up at Night

For many providers, medical device security represents a final frontier. As I’ve asked them about their overall cybersecurity plans, most providers feel a growing confidence in their security programs. The area where they’re feeling most discomfort right now is around medical devices.

Adding to their discomfort is the fact that, according to data we’ve collected, organizations report having more than 10,000 medical devices connected to their networks on average. This angst exists in part because of legacy operating systems that require security updates throughout the anticipated life-cycle of the device. In many cases, that life-cycle extends 5 to 10 years, which leaves devices with operating systems like Windows XP that may no longer be supported.

Beyond that, security professionals have to combat the fact that purchasing medical devices for the organization is often a shared responsibility. Medical device security isn’t like an email filter that lives solely under the control of the CISO and the security team—something they alone must deploy and manage.

Often, the CISO may not even be involved in the supply-chain process of purchasing equipment. Rather, a department will buy solutions based on their needs and expect the security team to make the devices secure.

At the end of the day, the medical device security market has several hurdles to overcome before providers are happy with the state of their programs. Going forward, KLAS will continue to measure the effectiveness of the manufacturers and software vendors who contribute to this space. Keep an eye out for our report in early October of this year.