The medical device industry appears to be under siege by cybercriminals, but it isn’t taking steps to defend itself, according to two separate reports.
Over the next 12 months, two thirds of medical device manufacturers and more than half of healthcare delivery organizations (HDOs) say that a cyber-attack on one or more medical devices built or in use by their organization is ‘likely’ or ‘very likely’.
Despite the threat, a survey by IT research organization the Ponemon Institute and chip security company Synopsys reveals that only 17% of device makers and 15% of HDOs are actively taking steps to tackle the problem, although a third were aware of the potential adverse effects to patients of an insecure medical device.
The study also found that around half (49%) of device manufacturers were not using guidance from the FDA about how to secure devices. And worryingly, it seems testing of medical devices rarely occurs. Only 9% of manufacturers and 5% of HDOs said they test medical devices at least annually, and 53% of HDO and respondents said they either do not test or are unaware if this takes place. That was also the case for 43% of device companies.
“The healthcare industry continues to struggle when it comes to software security,” according to said Mike Ahmadi, global director of critical systems security for Synopsys.
“The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”
The reported lack of awareness is a particular worry, given that device security has been hitting the headlines for some times. In 2013, former U.S. Vice President Dick Cheney had the wireless capabilities of his pacemaker disabled to thwart possible assassination attempts, and just last year Johnson & Johnson warned customers that one of its wireless insulin pumps was vulnerable to hacking, with St. Jude Medical accused of having poor security for its cardiac implants.
So far there are no recorded incidents in which medical device hacking has caused patient harm, but the potential is clearly there, according to the authors of a separate study which looked at the vulnerability of pacemaker devices.