HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

A recent HIMSS survey has confirmed that medical device security is a strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices.

For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys.

85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements.

Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed just how much of a risk is involved – to providers as well as patients.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A recent MedCrypt-funded study from the University of California Cyber Team has revealed some healthcare organizations have experienced cybersecurity incidents involving insecure medical devices that have had an adverse effect on patients. The organizations that had experienced incidents involving compromised medical devices said between 100 and 1,000 patients had been affected.

“While most life sciences and healthcare organizations understand the need to strengthen device security, many are struggling with legacy devices that were never designed to be internet-accessible – and with the explosion of ransomware and sophisticated cyberattacks like WannaCry, that can put both the provider and the patient at risk,” said Bill Parkinson global senior director, Unisys Life Sciences and Healthcare.

Respondents to the HIMSS/Unisys survey were asked what security measures they had in place to secure their medical devices. 85% said they used firewalls and network access control systems, although only 53% said they used segregated networks for medical devices, even though segmentation of networks can help organizations manage risk.

“To ensure proper security, all devices require equally strong protection – firewalls alone are not enough in today’s environment,” said Parkinson. “In this regard, microsegmentation, the ability to segment and restrict network and device data to pre-authorized groups of users and devices, can be a critical asset for hospitals and medical providers.”

The survey also investigated how healthcare providers are capturing and managing data collected by medical devices. Approximately 60% of healthcare providers said they were ready for a device audit at all times, but fewer than a third of providers were capturing device data in real-time.

“The importance of having access to real-time data cannot be underestimated. Not only can data analytics help life sciences and healthcare organizations reduce device downtime by ensuring devices are operational, it can significantly improve audit readiness and better inform future purchasing decisions,” said Parkinson.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.