Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere
A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year.
Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators.
When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge.
Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device manufacturers must be prepared to deal with incidents when they occur. When asked how prepared they were to deal with breaches, subsequent litigation or regulatory matters, only 19% of respondents said they were very prepared. 56% said they were somewhat prepared while 13% said they were not prepared at all.
Devices currently being developed can have cybersecurity incorporated at an early stage, which makes securing the devices for the entire lifecycle of the products far easier. For devices already in use, cybersecurity is a major concern. Many of the devices are running on outdated operating systems or are connected to networks that lack appropriate security controls.
Unfortunately, since each device has different cybersecurity requirements and operates in a different way, securing the devices is not straightforward. Cybersecurity controls need to be applied to the device, but also to the networks that the devices connect to. Russell Jones, Deloitte risk and financial advisory partner, Deloitte & Touche LLP. Jones said when it comes to medical device cybersecurity, “There is no magic bullet solution.”
Device manufacturers can certainly do more to incorporate cybersecurity controls into their devices, but to make the devices truly secure, there needs to be collaboration between providers, manufacturers, and suppliers. As Jones explained, “This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely.”
The number of IoT devices now being used has grown considerably and as more devices are connected to healthcare networks, managing the devices and monitoring for vulnerabilities becomes an even bigger problem.
Healthcare organization must have an IoT management and security solution in place as it is simply not possible to manage security manually. Without such a solution that offers IT teams visibility and control over the devices, it is not possible to manage and mitigate vulnerabilities.
Deloitte does offer some suggestions about improving medical device cybersecurity, suggesting healthcare organizations:
- Implement a domain hierarchy – Formalize, organize, and structure medical device cyber security activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations. Deloitte recommends work instructions and templates be developed for each unique device, while documentation of QMS protocols should be centralized and regularly updated.
- Conduct product security risk assessments at least on an annual basis, although risk assessment procedures should be an ongoing process with those assessments repeated when business processes change, there are supplier changes or acquisitions and divestitures.
- Take a forensic approach to incident response – When devices are compromised, the incident timeline must be determined, anomalous behavior should be detected and organizations must determine what data were exposed or accessed.