Medical Device Security – A Sneak Peek at an Upcoming Report
As the healthcare industry has matured into an increasingly connected enterprise, medical devices that were not originally intended to be connected to this network are becoming connected. These devices also have a long product lifecycle, with many providers often expecting to have these products in place for 7–10 years (or more) after purchase. Many of these devices were not created for the purposes that have recently emerged in the industry, and they have been built on operating systems that may no longer be supported.
At the end of the day, medical device security is about protecting patient safety and safeguarding protected health information (PHI). I would like to revisit some of our findings from last year’s report and give you a sneak peek into a follow-up report that KLAS will be publishing on the early vendors that are seeking to help healthcare organizations address these security concerns.
Confidence in Protecting Patient Safety
As medical device security became top of mind for healthcare security professionals, one of the big things we looked at last year was whether healthcare organizations felt confident in their ability to protect patient safety. When KLAS published the Medical Device Security 2018 report, only 39% of organizations said that they were confident or very confident in their ability to protect patient safety and prevent disruptions to care. Those organizations that participated in that study had an average of about 10,000 connected medical devices (a significant portion of which were reported to be unpatchable). The sheer numbers involved here makes medical device security a critical issue for provider organizations.
There are a variety of reasons that these organizations reported that they were not confident in protecting patient safety. Some organizations cited lack of support from the medical device manufacturers, lack of asset and inventory visibility, or struggles with patching.
We and the industry at large have since shifted focus to the lack of asset inventory visibility. In that study, 75% of organizations were currently using or planning to use third-party technology to help manage or secure medical devices. The types of tools used were quite varied at the time. We have seen vendors coalesce around trying to tackle this issue, and that led us to the research for this upcoming report. In this upcoming report, we are focusing on the initial adopters of this type of technology that discovers and categorizes connected devices, gives insights into device details, monitors device behavior, and assesses risk. Similar to a Decision Insights report, we are looking at the reasons why those early adopters select or do not select one vendor over another.
Sneak Peek: Decision Energy Is Not Just about Tech
As we at KLAS looked at these early decisions, it stood out to us that while technology is a driver for decisions, it is not what differentiates the vendors. Organizations see a lot of similarities between products. In terms of their core capabilities, the products are seen by decision-makers as being relatively on par across all of these vendors.
A CISO that recently made a decision told us, “Ultimately, we chose the vendor we did because we thought they would last in the market. Other than that, the differentiators between any other vendors were negligible. One product maybe had different colors or a different GUI or presentation than another product, but the offerings were very similar.”
Some organizations have even opted for short-term contracts that give them flexibility to watch the market as it matures. When an organization makes decisions, those decisions are often made on intangible factors like the vendor's culture or their willingness to partner with the organization.
This is a space where there are a lot of vendors popping up on a regular basis. While these vendors are being considered, their progress in gaining market share has been slower than expected. As much as I want to describe the older solutions in this market as mature, we're still talking about a vendor that's only two or three years old. But some of the newer ones have lost deals because of concerns over the maturity of the company or product.
Vendor type also seems to be a factor in these decisions. In the upcoming report, we see two types of vendors. The first type are broad, cross-industry vendors with a healthcare presence. These are vendors like Zingbox, Ordr, Armis, and Great Bay Software. These vendors can identify and categorize Internet of Medical Things (IoMT) and biomedical devices as well as broader Internet of Things (IoT) devices. The second type of vendors are healthcare-specific companies that focus on medical device security and that really understand the healthcare world. This includes vendors like Medigate, CyberMDX, Asimily, Cynerio, and Virta Labs—many of whom do, or have plans to, identify broader IoT devices.
Coming Soon
KLAS has followed different markets over the years, but I have seen the quickest adoption in the market for medical device security. This market went from being almost unheard of two or three years ago to having very rapid adoption. Now these vendors are selling like crazy, and there are a lot of new ones emerging. I’m excited for this report to launch. Along with learning about the various vendors in this space, we’ve also identified eight capabilities that these IoMT tools typically offer (discovery, monitoring, risk assessment, asset management, reporting, integration, protection and remediation, and coverage). And we have identified both basic and advanced functionalities for each capability.
The need in the healthcare industry to connect these devices is not going away; it is only going to increase. Healthcare organizations have to figure out a way to secure these devices. That is why CISOs are looking for something to help them understand the landscape and make some educated decisions.
We are excited for this research to be published at the end of this month. If you would like access to this research or if you are an early adopter of these technologies and would like to share your experience, please reach out to me at dan.czech@klasresearch.com.
Photo cred: Adobe Stock, adam121