Synopsys has today released the results of a study which found that 67% of medical device manufacturers and 56% of healthcare delivery organisations believe an attack on a medical device built or in use by their organisations is likely to occur over the next 12 months.
The survey also found that roughly a third of device makers and healthcare organisations are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17% of manufacturers and 15% of healthcare operators are taking significant steps to prevent such attacks.
The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the supply chain to ensure medical devices are not only safe, but also secure/p>
The report, entitled Medical Device Security: An Industry Under Attack and Unprepared to Defend follows a study conducted by the Ponemon Institute aimed at identifying whether device makers and healthcare organisations are in alignment about the need to address cyber security risks.
The study surveyed approximately 550 individuals whose roles involve the security of medical devices, including implantable devices, radiation equipment, diagnostic, and monitoring equipment, robots, and networking equipment designed specifically for medical devices and mobile medical apps.
“The security of medical devices is truly a life-or-death issue for both device manufacturers and healthcare delivery organisations,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute.
“According to the findings of the research, attacks on devices are likely and can put patients at risk.
“Consequently, it is urgent that the medical device industry makes the security of its devices a high priority."
Other key findings from the study highlight:
- Building secure devices is challenging. 80% of device makers and healthcare operators report that medical devices are very difficult to secure. The top reasons cited for why devices remain vulnerable include accidental coding errors, lack of knowledge/training on secure coding practices, and pressure on development teams to meet product deadlines
- Lack of security testing. Only 9% of manufacturers and 5% of healthcare operators say they test medical devices at least once a year, while 43% and 53% respectively do not test devices at all
- Lack of accountability. While 41% of healthcare operators believe they are primarily responsible for the security of medical devices, almost a third of both device makers and healthcare operators say no one person or function in their organisations is primarily responsible
“These findings underscore the cyber security gaps that the healthcare industry desperately needs to address to safeguard the wellbeing of patients in an increasingly-connected and software-driven world,” said Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group.
“The healthcare industry continues to struggle when it comes to software security.
The security of medical devices is truly a life-or-death issue for both device manufacturers and healthcare delivery organisations
“The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”
Click here for the full report.