More than ⅔ of medical device makers believe their products are vulnerable to cyberattack, but less than ⅕ are taking significant steps to do anything about it, according to a survey funded by software firm Synopsys.
Mountain View, Calif.-based Synopsys paid for cybersecurity think tank company Ponemon Institute to survey people who “have a role or involvement in the assessment of and contribution to the security of medical devices.” Ponemon researchers polled 242 medical device employees and 262 workers at healthcare providers for the report, “Medical Device Security: An Industry Under Attack and Unprepared to Defend.”
The survey showed that “67% of device makers in this study believe an attack on one or more medical devices they have built by their organization is likely and 56% of [health delivery organizations] believe such an attack is likely. Despite the likelihood of an attack, only 17% of device makers and 15% of HDOs are taking significant steps to prevent attacks,” according to the report. “Despite the risks, few organizations are taking steps to prevent attacks on medical devices. Only 17% of device makers are taking significant steps to prevent attacks and 15% of HDOs are taking significant steps.”
Some 80% of respondents from both groups said medical devices are very difficult to secure, with a mere 25% confirming that the devices’ security protocols or architecture are adequate. And the industry believes the risks are multiplied by the so-called “Internet of Things,” with 60% of device makers saying the use of mobile devices is significantly increasing security risks.
Even so, only ⅓ of medical device respondents said their companies encrypt IoT-device data, and only 39% of those use key management systems for their encrypted traffic, according to the survey.
“The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organizations,” Ponemon Institute chairman & founder Larry Ponemon said in prepared remarks. “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”
“These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address to safeguard the well-being of patients in an increasingly connected and software-driven world,” added Synopsys director Mike Ahmadi. “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”