Healthcare News & Insights

Medical device security: How hospitals must tackle threats

Medical device security is a hot topic for hospitals. Most ransomware attacks target vulnerable computer equipment running older operating systems and software programs. Hacking devices may appeal to cybercriminals because they’re difficult to update. A new report shows that hospitals need to do more to protect their devices. 

For the report, security vendor Synopsys and the Ponemon Institute surveyed professionals at hospitals and other healthcare providers, as well as medical device manufacturers, to find out what they’re doing to make sure devices are secure.

Right now, more effort is needed from both hospitals and vendors to ensure devices are up-to-date and free from malicious software. Per the report, only about 5% of facilities and 9% of vendors test medical devices on a yearly basis to make sure they’re working correctly and are free from security leaks.

This is true despite awareness of the potential threats that arise from a compromised medical device. Most device makers (67%) and healthcare facilities (56%) believe attacks on at least one of their medical devices is likely to occur in the near future.

Even worse: 31% of device manufacturers and 40% of healthcare providers are aware of similar incidents that happened with devices they use or maintain. In these situations, 38% of healthcare organizations said an insecure medical device caused patients to receive inappropriate or incorrect treatment. And nearly 40% of device makers said hackers managed to gain unauthorized access to their devices.

Improvement needed

A handful of hospitals (15%) and device manufacturers (17%) are taking significant steps to address these problems and prevent cyberattacks, but most aren’t moving in that direction for various reasons, including lack of support and resources.

However, in an age where advancements like the Internet of Things (IoT) and cloud storage are changing the way devices transmit and save protected health information, making sure they’re secure is more important than ever.

While some aspects of medical device security are complex and require financial investment, others are easier to implement. In an article from Healthcare IT News, Kevin McDonald, the director of clinical information security at the Mayo Clinic, suggested that hospitals:

  • create an inventory of hardware and software
  • install local firewalls and anti-virus programs
  • “whitelist” applications that are allowed on the network (and ban all other traffic), and
  • prohibit the use of nonexpiring or default passwords to access systems and devices.

Hospital IT departments should also make patching, testing and vulnerability assessments a regular part of their workflow to ensure medical devices are running with the most up-to-date versions of software. This helps ensure they’re less vulnerable to the newest types of malicious programs.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.