WASHINGTON, D.C.—A survey of healthcare IT executives found that 18% of provider organizations had medical devices impacted by malware or ransomware in the last 18 months, although few of these incidents resulted in compromised protected health information or an audit by the Office for Civil Rights, U.S Department of Health and Human Services. Only 39% of respondents said they were very confident or confident that their current strategy protects patient safety and prevents disruptions in care. Although organizations are making headway developing and maturing their overall security programs, progress has been slow, particularly when it comes to securing medical devices.
The survey was conducted by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) to examine the current state of the medical device security industry and identify best practices. The results were presented Oct. 5 at the CHIME Advocacy Summit in Washington, D.C., and will be available free to providers.
A total of 148 chief information officers, chief security information officers, chief technology officers, and other professionals at provider organizations were interviewed about their medical device security programs, the challenges they face in securing medical devices, and how they are tackling these challenges. Most of the interviews were with hospital and integrated delivery network employees although some respondents worked in midsize to large physician practices.
Medical devices were defined as “biomedical devices used by healthcare-delivery organizations in the pursuit of patient care.” This definition excludes patient use devices (such as pacemakers) as well as non-medical devices (such as laptops and tablets).
According to the benchmarking report, “Medical Device Security 2018,” respondents cited patient safety as their top concern with unsecured medical devices. Larger organizations were more likely to be targeted by cybercriminals, but they also were more likely to have mature security programs. Organizations that were confident about their medical security programs cited solid security policies and procedures as the leading reason for their confidence, followed by strong technology. Those that lacked confidence in their medical device security cited lack of manufacturer support as the top reason, followed by lack of asset and inventory visibility.
Overall, 96% identified manufacturer-related factors as a root cause of medical device security issues. Nearly all respondents reported struggles related to out-of-date operating systems or the inability to patch devices, which are major security risks. On average, respondents said the manufacturers for almost one-third of their medical devices have told them that they cannot be patched.