Hospitals have a low level of accountability for connected device breaches


Diving Brief:

  • Hospitals fail to take basic security measures and have low levels of accountability for cyberattacks, ransomware and data theft resulting from hacked medical devices, new research shows.
  • More than half of respondents to a survey of healthcare executives from cybersecurity firm Cynerio and research group Ponemon Institute said senior management do not need to ensure medical device risks or connected to the Internet were properly monitored or managed.
  • While 46% said they had taken appropriate security measures to secure medical devices, 49% said they did not measure the effectiveness of device security procedures. Meanwhile, of the 43% of organizations that reported a data breach in the past two years, 88% said at least one connected device was a contributing factor to the breach.

Overview of the dive:

Hospitals are becoming prime targets for cybercriminals looking to get their hands on lucrative patient data. Hacks have been on the rise in recent years and hit record highs in 2021, according to multiple reports, although early data from 2022 suggests the rate of data breaches may be on the decline.

Internet-connected medical devices are a potential area of ​​attack for cybercriminals. Devices can be particularly vulnerable as many use outdated or insecure software, hardware and protocols, even as the number of connected medical devices used by hospitals is rapidly increasing.

Cybersecurity incidents are the top medical device security concern in 2022, according to a nonprofit.

Cynerio and the ponemon Institute interviewed more than 500 US hospital and health system leaders for their new report.

Some 56% of respondents said attacks on internet-connected devices lengthen patient stays, while 48% of respondents said they lead to the theft of patient data.

Yet only an average of 3.4% of hospital IT budgets are spent on device security, according to the survey.

Hospitals may face a real threat to rationalize new investments. Among the top factors that would drive increased investment in medical device security are a serious incident of a device being hacked, followed by concerns about relationships with clinicians and third parties and potential loss of customers or revenue. due to a security incident, according to the investigation.

Another issue is poor monitoring of device ecosystems. According to the report, 67% of organizations do not maintain an inventory of their IoT-connected devices.

Respondents also noted a lack of clear ownership around device security, with no clearly agreed-upon stakeholders to protect the security of connected devices. Some respondents said safety decisions rest with the CIO or CTO, while others called biomedical engineers, the chief executive, or “almost everyone in between,” according to the report.


About Author

Comments are closed.