Healthcare industry still concerned about medical device hacking

A Ponemon survey released last week, Medical Device Security: An Industry Under Attack and Unprepared to Defend, shows that many in the healthcare industry still believe medical devices are primed for, and defenseless to, attack.

While the study’s title smacks of hyperbole – medical devices are not coming under significant attack in the wild today (yet) – the report does illustrate awareness that the medical device industry could be heading toward a cliff, Thelma & Louise style.

The Ponemon survey found that 67% of medical device manufacturers and 56% of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months.

About one-third of device makers and HDOs know full well the dangers to patients from poorly designed and at-risk medical devices. Still, only a minority of device makers (17%) and HDOs (15%) are doing anything substantial to mitigate the risks of such attacks.

The goal of the survey, according to Synopsys and the Ponemon Institute, was to see how device makers and HDOs align regarding the need to address medical device security. The North American survey involved 550 security professionals from manufacturers and HDOs, all people involved in securing implantable devices, radiation equipment, diagnostic and monitoring equipment, robots, as well as medical device and app networking equipment.

Key findings include:

  • Awareness in the difficult of building secure devices. 80% of device makers and HDOs report that medical devices are very difficult to secure. Why? Top reasons cited include accidental coding errors, lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.
  • Lack of security testing. Only 9% of manufacturers and 5% of HDOs say they test medical devices at least once a year, while 53% of HDOs and 43% of manufacturers do not test devices at all.
  • Lack of accountability. While 41% of HDOs believe they are primarily responsible for the security of medical devices, almost one-third of both device makers and HDOs say no one person or function in their organizations is primarily responsible.
  • FDA guidance is not enough. Only 51% of device makers and 44% of HDOs follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.

“The security of medical devices is truly a life or death issue for both device manufacturers and health care delivery organizations,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”

We’ve seen a similar movie before, but with a lot less risk and potential for horror: Many in the IT industry and online retailers saw the e-commerce security breach trainwreck coming in the late 1990s – but few did much, if anything, about it. The result was wave after wave of website breaches, credit card dumps and hacked enterprise IP.

Let’s hope that the medical industry takes a page from recent history to heart. Lives will, and do, literally depend on it.


Hacking insulin pumps? There’s no excuse anymore

Negative consequences of IoT could extend beyond cybersecurity

What you need to know about IoT hacking and medical devices


  1. […] Healthcare industry still concerned about medical device hacking […]

  2. […] Healthcare industry still concerned about medical device hacking […]

  3. […] Healthcare industry still concerned about medical device hacking […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.