Synopsys report finds the medical device industry vulnerable to attack
A new report investigates whether medical device makers and healthcare delivery organizations align on the need to address cyber security risks.
In a new report, Synopsys found that 67% of medical device manufacturers and 56% of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organization is likely to occur over the next 12 months.
The Synopsys report, Medical Device Security: An Industry Under Attack and Unprepared to Defend, is based on a study conducted by the Ponemon Institute, a leading IT security research organization. It identified whether device makers and HDOs are aligned regarding the need to address cybersecurity risks. The survey also found that roughly one-third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device. Despite the risk, only 17% of device makers and 15% of HDOs are taking significant steps to prevent such attacks.
“The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organizations,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, in a press release. “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”
Other key findings from the study:
- Building secure devices is challenging. 80% of device makers and HDOs report that medical devices are very difficult to secure. The top reasons cited for why devices remain vulnerable include accidental coding errors, lack of knowledge/training on secure coding practices, and pressure on development teams to meet product deadlines.
- Lack of security testing. Only 9% of manufacturers and 5% of HDOs say they test medical devices at least once a year; while 53% of HDOs and 43% of manufacturers do not test devices at all.
- Lack of accountability. While 41% of HDOs believe they are primarily responsible for the security of medical devices, almost one-third of both device makers and HDOs say no one person or function in their organizations is primarily responsible.
Chris Clark, principal security engineer at Synopsys, said of the report, “There were a lot of surprising results … but one that stood out to me the most was that 45% of HDOs have no plan for preventing attacks. They really don’t have a process in place for establishing a security policy that helps them deal with the potential vulnerabilities that are there.”
“These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address to safeguard the well-being of patients in an increasingly connected and software-driven world,” said Mike Ahmadi, global director of critical systems security for Synopsys Software Integrity Group.
