Ponemon Study on Security Deficiencies in Medical Devices confirms Meditology’s Earlier Findings
The Ponemon Institute recently released the results of the study, "Medical Device Security: An Industry Under Attack and Unprepared to Defend,” which highlights critical security deficiencies in medical devices.
Highlights from the reports show that:
- 67% of medical device manufacturers and 56% of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months.
- Roughly 1/3 of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk, only 17% of device makers and 15% of HDOs are taking significant steps to prevent such attacks.
- Only 44% of HDOs follow guidance from the FDA to mitigate or reduce inherent security risks in medical devices.
- 60% of device makers and 59 percent of HDOs do not share information about security risks with clinicians and patients.
This report comes on the heels of the recent HHS Cybersecurity task force report that identified medical device security as one of six top imperatives, and provides a robust list of recommendations and action items for healthcare organizations, providers and vendors.
It also underscores findings from Meditology’s whitepaper on the risks and impacts associated with medical devices - Hijacking Your Life Support: Medical Device Security.
Specifically, highlights from the report showed:
- Medical identity theft affected an estimated 1.5 million people in the U.S. at a cost of $41.3 billion in 2016.
- Historically, the lack of focus on building security requirements into medical devices has led to these devices becoming one of the weakest links in the chain for securing healthcare networks and systems.
- Medical device security is often not considered during procurement processes and purchasing decisions.
- Traditional network scanning and discovery tools are not always equipped to specifically scan and identify medical devices, and such scans may themselves adversely impact the devices, putting patient safety at risk.
Meditology recommends that healthcare organizations develop medical device security programs (MDSPs) to address risks to patient safety, information security, and compliance. MDSPs should align with industry standards, regulations, and best practices. They should also include a comprehensive vendor security risk management program, according to a report by our sister company, CORL Technologies.
Do you have a well-defined and operational medical device security program that gives you confidence in your ability to protect your patients from harm?
Email us to start a conversation.