- Hospitals are not taking basic security actions and have low levels of accountability regarding cyberattacks, ransomware and data theft stemming from breached medical devices, new research suggests.
- Over half of respondents in a survey of healthcare executives from cybersecurity firm Cynerio and research group Ponemon Institute reported that senior management did not require assurances that medical or internet-connected device risks were properly monitored or managed.
- While 46% reported taking proper security steps to securing medical devices, 49% said they didn’t measure the effectiveness of device security procedures. Meanwhile, of the 43% of organizations that reported a data breach in the past two years, 88% said at least one connected device was a contributing factor to the breach.
Hospitals are becoming a primary target of cybercriminals looking to get their hands on lucrative patient data. Hacks have been increasing in recent years and reached record levels in 2021, according to multiple reports, though early data from 2022 suggests the rate of data breaches may be declining.
Medical devices connected to the internet are one potential area of attack for cybercriminals. Devices may be particularly vulnerable because many use outdated or insecure software, hardware and protocols, even as the number of connected medical devices being used by hospitals rapidly increases.
Cybersecurity incidents are the top safety concern for medical devices in 2022, according to one nonprofit.
Cynerio and the Ponemon Institute surveyed more than 500 U.S. hospital and health system executives for their new report.
Some 56% of respondents said internet-enabled device attacks resulted in longer patient length-of-stays, while 48% of respondents said they resulted in theft of patient data.
Yet only an average of 3.4% of hospitals’ IT budgets are being spent on device security, the survey found.
Hospitals may need to face a real-world threat to rationalize further investment. Among the top factors that would drive increased investment in medical device security is a serious hacking incident of a device, followed by concerns over relationships with clinicians and third parties and a potential loss of customers or revenue due to a security incident, the survey found.
Another problem is poor oversight over device ecosystems. According to the report, 67% of organizations don’t keep an inventory of their internet of things devices.
Respondents also noted a lack of clear ownership regarding device security, with no clearly agreed upon stakeholders for protecting the security of connected devices. Some respondents said security decisions lay to the CIO or CTO, while others called out biomedical engineers, the chief executive or “nearly everyone in between,” the report found.