The internet of things is everywhere – including in hospitals, nursing homes, and doctor’s offices.
The wireless and network-connected gadgets bring many conveniences to healthcare. Unfortunately, they also bring massive security gaps (examples below).
The makers of medical devices are aware of the security problem, but few are working to solve it. Two-thirds (67%) expect attacks on their devices but only 17% are taking serious steps to prevent them, according to a Ponemon study.
The widespread lack of security in medical devices creates many concerns for health IT professionals. Their top concerns are highlighted in a new report, the 2017 HIMSS Cybersecurity Survey.
HIMSS asked 126 health information security professionals in the U.S. about their priorities, plans, and concerns for their organizations.
Here’s what they said were their top concerns for medical device security.
Note: This chart compares responses from healthcare organizations that do and do not have security leadership (such as a chief information security officer).
Patient safety is the top concern overall, mostly among organizations that have a senior information security leader.
The threats posed by poorly secured medical devices are scary.
Examples:
Thankfully, these types of threats rarely materialize (if ever) – but the possibility of them occurring has grabbed the attention of health IT professionals.
Nearly one-third (32%) of respondents who worked an organization with a health information security leader felt patient safety was a top concern.
However, only 15% of respondents at organizations without a security leader agreed.
Judging from news headlines and regular updates to the HIPAA wall of shame, every healthcare organization should be concerned about the possibility of a data breach.
So it’s not surprising to see the threat of breach reaching number two on the list for top concerns about medical device security.
Due to their flaws, some healthcare IoT devices can make it easier for attackers to breach a network and steal health data.
Examples:
Data breach is the number-two concern for both groups, those with security leadership (26%) and those without (17%).
Just as poor security in medical devices can enable a data breach, it can also allow malware to take root and spread across the network.
Malware is third on the list of fears overall, but it’s the number-one concern for healthcare organizations without security leadership (26%).
These fears are not unfounded. Ransomware in hospitals has sparked headlines around the world this year.
Part of the problem is the devices often run or are connected to outdated operating systems, such as Windows XP. Or they use more recent operating systems but remain unpatched..
Examples:
The rest of the medical device security concerns are not as widespread as the top three. The next biggest category is “other.”
The fifth largest category is “device loss or theft.” Although low on the list, it’s a fear grounded in reality.
At least 36 HIPAA violations reported in 2017 are attributed to physical theft, according to according to the HIPAA breach portal of U.S. Department of Health and Human Services Office for Civil Rights (OCR).
In February, the OCR fined a children’s hospital $3.2 million in response to non-compliance and two data breaches. One breach was related to a lost Blackberry. The second was related to a stolen laptop.
While healthcare offices are more likely to experience a stolen laptop or computer, the growing number of medical devices on the network may raise the chance of theft.
The remaining concerns, in descending order, are “don’t know,” liability concerns, and intellectual property theft.
In response to a growing number of medical devices with poor security, many healthcare organizations are testing devices before they’re allowed through the door.
More than half of all respondents to the HIMSS survey said their organization performs due diligence analysis on the cybersecurity of products and services before purchasing them.
Not surprisingly, organizations with an information security leader are more likely to do the assessments (88% of respondents) than organizations without one (57%).
Related resources
10 Biggest Problems in Healthcare Cybersecurity
HIPAA Compliance for IT Providers: Top 5 questions