Survey: Healthcare Pros Challenged to Identify, Mitigate Medical Device Security Risks | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Healthcare Pros Challenged to Identify, Mitigate Medical Device Security Risks

August 16, 2017
by Rajiv Leventhal
| Reprints

More than one-third (36 percent) of surveyed professionals in the Internet of Things (IoT)-connected medical device ecosystem say their organizations have experienced a cybersecurity incident in the past year, according to a recent Deloitte poll.

Another 37 percent of respondents said that their organizations did not experience such an incident in the last year, while 27 percent said they didn’t know if they did. In May, some 370 professionals whose organizations operate in the medical device/IoT ecosystem responded to poll questions during a Deloitte Dbriefs webcast. Respondent organizations include medical device or component manufacturers; healthcare IT organizations; medical device users; and regulators.

What’s more, identifying and mitigating the risks of fielded and legacy connected devices presents the industry's biggest cybersecurity challenge according to respondents (30 percent), according to the research. Additional cybersecurity challenges that connected medical devices presented to respondents included embedding vulnerability management into the design phase of medical devices (20 percent), monitoring and responding to cybersecurity incidents (20 percent), and lack of collaboration on cyber threat management throughout the connected medical device supply chain (18 percent).

Beyond cybersecurity risk management itself, there are post-incident risk management efforts to attend to as well. Few respondents (19 percent) say their organizations are "very prepared" to address litigation, internal investigations or regulatory matters related to medical device cybersecurity incidents in the next 12 months. Meanwhile, 56 percent said they were “somewhat prepared” and 13 percent they were not prepared to address these issues in the next year.

“As regulatory, litigation, and internal investigation activities start to focus on post-market cybersecurity management, leading organizations are taking a more forensic approach to discerning the timeline and size of cyber incidents so the impact to intellectual property, client data and other areas can be addressed more quickly," Scott Read, Deloitte risk and financial advisory principal, Deloitte Transactions and Business Analytics LLP, noted in a statement. "Forensic analyses responding to regulator, litigant, or whistleblower concerns may even help predict the next moves of cyber attackers."

One of Healthcare Informatics’ Top Ten Tech Trends for 2017, medical device cybersecurity has been a hot industry topic of late as threats continue to increase. A recent survey found that only 9 percent of manufacturers and 5 percent of HDOs (healthcare delivery organizations) said they test medical devices at least once a year, while 53 percent of HDOs and 43 percent of manufacturers said they do not test devices at all.

“It's not surprising that managing cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers, and regulators," Russell Jones, Deloitte risk and financial advisory partner, Deloitte & Touche LLP, said in a statement. "Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls. Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product's entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution."

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.