Study highlights critical security deficiencies in medical devices

Survey of manufacturers and healthcare delivery organisations reveals industry’s lack of confidence and alignment in securing medical devices

A study by Synopsys has found that 67%of medical device manufacturers and 56% of healthcare delivery organisations (HDOs) believe an attack on a medical device built or in use by their organisations is likely to occur during the next 12 months.

The study, called “Medical Device Security: An Industry Under Attack and Unprepared to Defend”, also found that roughly one third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device.

Yet, despite the risk, only 17% of device makers and 15% of HDOs are taking significant steps to prevent such attacks.

The study

The Synopsys study, conducted by IT security research organisation the Ponemon Institute, aimed at identifying whether device makers and HDOs are in alignment about the need to address cybersecurity risks.

The study surveyed approximately 550 individuals from manufacturers and HDOs, whose roles involve the security of medical devices, including implantable devices, radiation equipment, diagnostic and monitoring equipment, robots, as well as networking equipment designed specifically for medical devices and mobile medical apps.

Other key findings

Building secure devices is challenging. 80% of device makers and HDOs report that medical devices are very difficult to secure.

The top reasons cited for why devices remain vulnerable include accidental coding errors, lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.

Lack of security testing. Only 9% of manufacturers and 5% of HDOs said that they test medical devices at least once a year, while 53%of HDOs and 43% of manufacturers do not test devices at all.

Lack of accountability. While 41% of HDOs believe they are primarily responsible for the security of medical devices, almost one-third of both device makers and HDOs say no one person or function in their organisations is primarily responsible.

FDA guidance is not enough. Only 51% of device makers and 44% of HDOs follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.

These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address.

“These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address to safeguard the well-being of patients in an increasingly connected and software-driven world,” said Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group.

“The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

Companies