A new survey found 67 percent of medical device manufacturers and 56 percent of healthcare delivery organizations (HDOs) believe their devices are likely to be the target of a cyberattack within the next 12 months.
While many companies are concerned about the possibility of an imminent attack, most manufacturers remain unprepared. Just 17 percent of device makers and 15 percent of HDOs have taken steps to prevent cyber attacks, the survey found.
The findings are the result of a study conducted by the Ponemon Institute on behalf of Synposys, which surveyed more than 550 medical device manufacturers and healthcare delivery companies.
The disparity in the amount of companies concerned about the security of their devices and those that are actually prepared for an attack can be explained the the challenges presented in properly protecting medical devices.
Eighty percent of respondents to the survey said that challenges in securing medical devices can explain the lack of preparation for an attack. Just 25 percent of respondents said they believe security protocols built into medical devices can provide adequate protection for clinicians and patients.
“Both manufacturers and users rely upon security requirements instead of more thorough practices such as security testing through the SDLC, code review and debugging systems and dynamic application testing,” the report from Synposys said.
While there are challenges that come with testing and securing devices, the survey also found that many companies don’t put forth the effort to make sure their devices are not vulnerable to attack.
Fifty-three percent of HDOs who participated in the survey said they do no security testing on devices. Another 45 percent said they were unsure if any testing is done. Forty-three percent of medical device manufacturers said they don’t test their devices for security risks.
Attacks on medical devices have become a growing concern. Last year, the U.S. Food and Drug Administration laid out recommendations to medical device manufacturers on how to secure internet-connected devices.
Earlier this month, a widespread ransomware attack known as WannaCry hit hundreds of thousands of computer systems around the globe, including machines at National Health Service (NHS) hospitals throughout England. The attack forced the hospitals to divert emergency patients and limited their capabilities.
It was later discovered that medical devices were also at risk to be infected by the ransomware. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team and several medical device vendors warned consumers about the potential for infection.
The Health Information Trust Alliance also issued a report that suggested devices from a number of medical device manufacturers including German electronics maker Siemens were compromised during the WannaCry infection.
The alliance also implicated German company Bayer, suggesting there was evidence devices from its subsidiary MedRad were also infected. MedRad produces devices that perform CT, MRI and PET scans.