A recent Deloitte survey of over 370 professionals whose organizations operate in the Internet of Things (IoT) connected medical device ecosystem found that more than 35 percent of respondents experienced a cyber security incident in the past year.
Respondent organizations included medical device or component manufacturers, healthcare IT organizations, medical device users, and regulators.
Over 30 percent of respondents said identifying and mitigating the risks of fielded and legacy connected devices presents the industry’s biggest cyber security challenge.
“It’s not surprising that managin cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers and regulators,” Deloitte Risk and Financial Advisory partner Russell Jones said in a statement. “Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls.”
“Connected device cyber security can start in the early stages of new devie development, and should extend throughout the product’s entire lifecycle; but even this can lead to a more challenging procurement process,” Jones added. “There is no magic bullet solution.”
Key IoT Challenges
Other leading challenges mentioned by respondents included embedding vulnerability management into the design phase of medical devices (19.7 percent), monitoring and responding to cyber security incidents (19.5 percent), and lack of collaboration on cyber threat management throughout the connected medical device supply chain (17.9 percent).
“Collaboration between providers, manufacturers, and suppliers is key when it comes to bridging the gaps in medical device cyber security,” Jones said. “This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely.”
Notably, just 18.6 percent of respondents said their organizations are very prepared to address litigation, internal investigations or regulatory matters related to medical device cyber security in the coming year.
Deloitte recommends taking the following key steps to protect against medical device cyber threats:
- Implement a document hierarchy. Formalize, organize, and structure medical device cyber security activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations.
- Conduct annual — at minimum — product security risk assessments. Treat cyber security risk assessment procedures as ongoing, iterative processes that are repeated at least annually and when business changes occur, such as supplier changes, acquisitions, or divestitures.
- Take a forensic approach to incident response. Establish the incident timeline, detect anomalous behavior, and figure out what data was accessed and exposed.
Misconceptions About IoT
A separate ZingBox survey of IT decision makers in the healthcare industry found that more than 90 percent of healthcare IT networks have IoT devices connected to them, and over 70 percent of respondents think traditional security solutions for devices like laptops and servers are sufficient for IoT connected medical devices.
More than 76 percent of respondents said they’re confident or very confident that all devices connected to their networks are connected.
“The survey results demonstrate the current state of confusion, and misconceptions about in the healthcare industry on how best to secure connected medical devices,” ZingBox CEO and co-founder Xu Zou said in a statement.
“IoT technology presents special challenges to a healthcare organization’s ability to protect itself from both insider threats as well as external cyber attacks across a wide range of attack vectors, as demonstrated by the most recent WannaCry ransomware and NotPetya ransomware attacks,” Zou added. “As these attacks continue to step to the forefront, companies deploying IoT devices need to be more cognizant than ever of their security measures.”