A new survey found that 67 percent of medical device manufacturers and 56 percent of healthcare delivery organizations (HDOs) believe an attack on their devices is likely to happen within the next 12 months.
Despite the risks, however, a mere 17 percent of device makers and only 15 percent of HDOs say they are taking significant steps to prevent such imminent attacks.
The findings come from a recent study conducted by the Ponemon Institute on behalf of Synposys, which polled more than 550 individuals from manufacturers and HDOs.
The overwhelming majority (80 percent) of respondents believe this is partly due to the fact that medical devices are very difficult to secure. Furthermore, only 25 percent of respondents believe security protocols or architecture built inside devices can adequately protect clinicians and patients.
“Both manufacturers and users rely upon security requirements instead of more thorough practices such as security testing through the SDLC, code review and debugging systems and dynamic application testing,” explains the report.
“As a result, both manufacturers and users concur that medical devices contain vulnerable code due to lack of quality assurance and testing procedures and rush to release pressures on the product development team,” the report noted.
Perhaps the most shocking statistic revealed that medical devices are rarely tested. Only nine percent of manufactures and five percent of users said they test medical devices at least annually.
A whopping 53 percent of HDOs said they do no test devices or were unsure if testing occurs (45 percent). Meanwhile, manufacturers yielded similar findings with 43 percent admitting they do not test medical devices and seven percent being unsure if testing takes place.
“It’s not surprising that the vast majority of respondents see attacks as inevitable, given that less than 10 percent actually test the security of these devices at least annually,” Tim Erlin, vice president of product management and strategy at Tripwire, told SC Media UK.
“It’s shocking to think that the devices delivering care to patients simply aren’t tested for security.”
The problems surrounding medical device security are varied, but not new, noted Erlin.
“Other industries have struggled with similar challenges around testing, disclosure of security issues and alignment between vendors and users. It requires a focused effort to address these challenges head on. It’s unacceptable to put patient care in the hands of insecure and untested devices,” he said.