A survey of professionals working with connected medical devices in the Internet of Things has seen over a third (35%) experiencing security breaches in the last year.
The survey by Deloitte highlights that identifying and mitigating the risks of fielded and legacy connected devices presents the industry's biggest cybersecurity challenge according to respondents (above at 30.1%).
"It's not surprising that managing cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers, and regulators," said Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte & Touche. "Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls. Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product's entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution."
Additional cybersecurity challenges that connected medical devices presented to respondents included embedding vulnerability management into the design phase of medical devices (19.7%), monitoring and responding to cybersecurity incidents (19.5 percent), and lack of collaboration on cyber threat management throughout the connected medical device supply chain (17.9%).
"Collaboration between providers, manufacturers, and suppliers is key when it comes to bridging the gaps in medical device cybersecurity," said Jones. "This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely."
Beyond cybersecurity risk management itself, there are post-incident risk management efforts to attend to as well. Few respondents (18.6%) say their organizations are "very prepared" to address litigation, internal investigations or regulatory matters related to medical device cybersecurity incidents in the next 12 months.
"As regulatory, litigation, and internal investigation activities start to focus on post-market cybersecurity management, leading organizations are taking a more forensic approach to discerning the timeline and size of cyber incidents so the impact to intellectual property, client data and other areas can be addressed more quickly," said Scott Read, Risk and Financial Advisory principal at Deloitte Transactions and Business Analytics. "Forensic analyses responding to regulator, litigant, or whistleblower concerns may even help predict the next moves of cyberattackers."
More than 370 professionals whose organizations operate in the medical device/IoT ecosystem responded to poll questions during the Deloitte Dbriefs webcast, "Medical devices and the Internet of Things: A three-layer defense against cyber threats," on May 23, 2017. Respondent organizations include medical device or component manufacturers (i.e., implantables, diagnostic devices, capital equipment; 31 percent); health care IT organizations (i.e., mobile app/software developers; 22 percent); medical device users (i.e., health care providers, device monitoring; 36 percent); and regulators (10 percent).
- Protecting embedded wireless devices from attack without encryption
- ON Semiconductor expands support for IoT with modular development platform
- Wireless medical sensor design looks to spin off into industrial and IoT applications
- Ford develops heart monitor in car seats
- IoT 'thingbots' set to become the next dark web