Survey Finds Low Confidence in Medical Device Security

As more medical devices connect to the Internet, the role of cybersecurity in the health care sector has never been more critical. Unfortunately, a survey of 40 senior executives at U.S. Fortune 1000 companies found only 18% of respondents believed the security capabilities embedded within medical devices was strong. In the survey, a full 80% of respondents simply described medical device security as adequate.

The survey, conducted by Guidepoint Global, found only 13% of respondents said they believe their business is very prepared to mitigate future risks. That’s in comparison to 70% who believed that they are only somewhat prepared, at best, while another 17% stated that their firm was not prepared at all. Mitigating cybersecurity risks would require a bigger security budget (21%), greater cybersecurity expertise (19%) and more effective tools (19%), the survey found.

The survey noted that just over half of respondents (53%) are currently managing cybersecurity in-house, while the remaining respondents outsourced all or parts of their security strategy to partners. Overall, the survey found 80% of survey respondents have suffered at least one cyberattack in the past five years.

In terms of future investments, cloud-based services topped the list (48%), followed by remote consulting services (23%) and on-premises security services coming in at a distant 8%, the study found.

Respondents said the top two benefits for making those investments were compliance (80%) followed closely by protecting intellectual property (78%). Despite the emphasis on compliance, only four in 10 respondents rated themselves as being very aware/knowledgeable about forthcoming European Union (EU) and U.S. regulations. Close to a third (28%) said they did not know anything at all about forthcoming regulations.

Steve Huin, chief marketing officer at Irdeto, which supplies a platform for securing Internet of Things (IoT) environments, said health care organizations are dealing with both the COVID-19 pandemic itself as well as the need to enable administrative staff to work from home to limit its spread. At the same time, Huin noted, cybercriminals have increased their focus on health care organizations as potential ransomware targets. The health care sector has not historically had the resources required to maintain cybersecurity as well as other vertical industry segments have, Huin said.

One of the ways cybercriminals attempt to spread malware is by first using phishing attacks to compromise the credentials needed to access an IoT platform. That would make it relatively simple to laterally distribute malware throughout an organization, Huin added. The goal is to limit the blast radius of those attacks by deploying an IoT security platform, Huin said.

Of course, many of the attacks against health care organizations start in much the same way they would in any other office. Cybercriminals attach malware-infected documents to email and hope that health care employees instinctively open them as part of their everyday workflow. The challenge is, with more medical equipment attached to a network, the overall size of the attack surface that needs to be defended keeps growing. Many of the technicians that manage those systems, after all, are as likely to fall victim to a phishing attack as any other employee. The challenge is finding a way to make sure that cyberattacks against health care IoT devices that keep patients alive don’t become lethal.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 282 posts and counting.See all posts by mike-vizard