Healthcare leaders say their strategies could place patients at risk, a new survey found.
Many healthcare leaders doubt their ability to protect patients from cyberattacks, and they blame medical devices. Licensed from Tomasz Zajda - stock.adobe.com
Is there ever going to be a day when good news follows a healthcare cybersecurity headline?
Eventually. Hopefully. But not today. Instead, we have the results of a new survey, which found that only 39 percent of health IT executives think their medical device cybersecurity strategies can protect patients and defend against disruptions in care. What’s more, 18 percent of healthcare organizations suffered some form of cyberattack against their medical devices in the past year and a half.
>> LISTEN: The High-Tech Hospital the World Wasn’t Ready For
“Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time consuming, toward developing a mature program,” said Adam Gale, president of KLAS Research, which conducted the survey with help from the College of Healthcare Information Management Executives (CHIME).
KLAS and CHIME carried out the research to better understand med-tech cybersecurity and pinpoint best practices. They interviewed 148 chief information officers, chief security information officers, chief technology officers and people with similar positions within health systems, delivery networks and large provider groups. Researchers did not probe devices used by patients, such as pacemakers, and tech like laptops and tablets.
So, what else did they uncover?
First, healthcare executives said they are most concerned about med-tech security flaws jeopardizing patient safety. And almost all respondents — 96 percent — pointed to device manufacturers as the chief cause of cyber holes. Still, 76 percent said their organization doesn’t have the resources to secure these devices, largely due to “poor asset and inventory visibility” and uncertainty surrounding who that responsibility falls on.
But things are looking up. More than a quarter of respondents said their medical device security programs are “fully functional,” while 47 percent said their efforts were underway this year, beating out 16 percent in 2016 and 41 percent last year.
Healthcare providers that were confident in their med-tech cyber strategy pointed to policies, procedures and technologies as their reasons to believe. Insufficient manufacturer support topped the list for organizations that doubted their ability to secure their devices.
The bigger the healthcare organization, the more likely it was to be a hacking target. But big fish were also more likely to have strong cyberdefenses, according to the survey.
The report comes at a time when medical device security is under increasing scrutiny. The U.S. Food and Drug Administration, which has come under fire for approving devices too hastily, recently published a med-tech security playbook for providers and plans to soon unveil new initiatives to protect the vulnerable Internet of Things.
“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” noted Russell Branzell, CHIME’s president and CEO. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”
Without support and resources, however, providers are likely to remain vulnerable.
Get the best insights in healthcare analytics directly to your inbox.
WannaCry, NotPetya and Cyberwarfare’s Threat to Healthcare
5 Data Breaches That Show How Cybersecurity Must Evolve