Just 39 percent of healthcare organizations and providers are confident in their medical device security, according to report by KLAS, College of Healthcare Information Management Executives (CHIMES) and the Association for Executives in Healthcare Information Security (AEHIS).
The organizations released their “Medical Device Security 2018” report, in which they asked executives from 148 healthcare provider organizations to explain confidence levels in medical device security strategies, most common challenges with device security and best ways to overcome those challenges.
“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” CHIMES President and CEO Russell Branzell said in a statement. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected. Our members are looking for ways to safeguard these devices, but they need resources and support to be effective.”
In the report, healthcare providers revealed their lack of confidence in medical device security. Most respondents––30 percent––were neutral in their current medical device security; 25 percent said they were unconfident; and 6 percent said they were very unconfident.
The top reasons for feeling unconfident in there medical device security were:
- lack of support from device manufacturer
- lack of asset/inventory visibility
- patching issues
- program still in development
- devices being an inherent risks/having no solutions
The remaining 39 percent said they were confident in their medical device security. Reasons listed included: having solid processes/policies, strong technology, good collaboration across departments and C-level support.
The report also revealed that providers blame manufacturers over provider organizations as being the root cause of medical device security issues, with 96 percent of providers citing manufacturer-related factors and 68 percent citing organizational factors as the root cause.
Organizations are working to address medical device security challenges. Ninety-six percent of organizations said there is someone in charge of their security program; 83 percent of organizations said they’ve increased security budgets over the last two years; and 57 percent said security matters are on the agenda for monthly or quarterly meetings.
Popular solutions for medical device security issues included performing risk assessments on medical devices, implementing patching strategies and using some third-party software and services.
“Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers,” KLAS President Adam Gale said in a statement. “Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time consuming, toward developing a mature program. We also are seeing some manufacturers being more proactive and accountable.”