Insecure Medical devices are enlarging surface of attacks for organizations

A study conducted by the Ponemon Institute shows insecure Medical devices are enlarging the surface of attacks for organizations.

A study conducted by the Ponemon Institute, based on a survey of 550 individuals, shows that manufacturers and healthcare delivery organizations (HDO) are concerned about cyber attacks on medical devices.

67 percent of medical device makers and 56 percent of HDOs believe that in the next 12 months their medical devices will be targeted by hackers. Unfortunately, only 25 percent of device makers and 38 percent of HDOs believe the security features implemented in the devices can adequately protect patients and the clinicians who use them.

33% of the participants in the survey confirmed they were aware of effects of cyber attacks had a negative impact on patients. Hackers can power a wide range of attacks on the devices, including ransomware attacks, denial-of-service (DoS) attacks, and hijacking of medical devices.

The most disconcerting aspect of the research is that only 17 percent of device manufacturers and 15 percent of HDOs have adopted the necessary countermeasures to prevent attacks. 40 percent of HDOs and manufacturers admitted they haven’t adopted anything to prevent attacks.

Unsecured medical devices represent an entry point for hackers in hospitals and other healthcare organizations, the bad news is that the majority of the participant to the survey believe securing medical devices is very difficult.

The study revealed that security practices in place are not effective, manufacturers and HDOs lack of practices such as security testing throughout the SDLC, code review and debugging systems and dynamic application security testing. Surveyed organizations noticed 36 percent of manufacturers and 45 percent of HDOs do not test devices. Companies that tested the medical devices admitted finding vulnerabilities and even malware into their systems.

“Medical device security practices in place are not the most effective. Both manufacturers and users rely upon following specified security requirements instead of more thorough practices such as security testing throughout the SDLC, code review and debugging systems and dynamic application security testing. As a result, both manufacturers and users concur that medical devices contain vulnerable code due to lack of quality assurance and testing procedures and rush to release pressures on the product development team.” states the report.

Another worrying data emerged with the survey is that budget increase are usually a consequence of a hacking attack.

“In many cases, budget increases to improve the security of medical devices would occur only after a serious hacking incident occurred. Device makers, on average, spend approximately $4 million on the security of their medical devices and HDOs spend an average of $2.4 million each year. As shown in Figure 9, a serious hacking incident or new regulations would influence their organizations to increase the security budget.” continues the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – medical devices, security)

[adrotate banner=”13″]