Healthcare survey finds abundance of medical device security overconfidence

When facing a determined adversary, it’s one thing to be confident, it’s quite another to be overconfident. But that’s what a new survey of healthcare IT professionals and biomedical engineers found: an overabundance of confidence when it comes to connected medical device security.

According to the 2018 Zingbox Second Annual Connected Medical Device Surveyrespondents believe they have real-time visibility into device vulnerabilities and that they can adequately handle a cyberattack. Key findings from the report include:

  • 87 percent of healthcare IT professionals are confident that their connected medical devices are protected in the event of a cyberattack.
  • 69 percent of healthcare IT professionals believe that traditional security solutions designed for laptops and PCs can adequately secure connected medical devices.
  • 85 percent of clinical/biomed engineers are confident that they have accurate inventory of all connected medical devices.
  • 64 percent of responses from clinical/biomed engineers indicate the use of manual room-to-room audits or static databases to inventory connected medical devices.

Zingbox conducted its second annual security survey on connected medical devices in October 2018. The survey collected responses from more than 200 healthcare IT professionals and 200 clinical/biomed engineers in the U.S. The results were weighted to U.S. census for age, gender, region and income.

If it’s accurate that 90 percent of healthcare IT professionals are in fact confident that their connected medical devices are adequately protected from cyberattack, it informs us of one certain thing — we are in store to see more successful attacks hitting connected medical devices in the months ahead, and we’re likely to continue to see a high percentage of successful attacks against healthcare providers in general. Collectively, healthcare has seen abysmal information security, including high levels of ransomware attacks, data breaches and HIPAA-related violations.

There’s no shortage of announcements from security researchers showing how medical devices can be vulnerable to some types of remote access or ransomware attacks.

The good news is that steps are being taken to better ensure more security-resilient medical devices are coming to market. Last month, the U.S. Dept. of Health and Human Services’ (HHS) Office of Inspector General urged the FDA to work a little harder at ensuring that secured, or at least securable, connected medical devices come to market. The HHS asked the FDA to take additional steps to examine the security efforts of medical device manufacturers.

According a report issued by HSS last month, the FDA has emphasized medical device security as a responsibility shared among device manufacturers, healthcare providers, consumers and the FDA itself. In a nutshell, HHS asked the FDA to further integrate cybersecurity into its overall product review process.

Of course, the first step for healthcare providers ensuring that they are doing their part to secure connected medical devices is for them to realize that they are probably not doing enough currently to adequately protect medical devices. And I’ll take a paranoid security professional over an overconfident security professional any day of the week.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: