Over a third of IoT medical device organizations suffer security incidents

As the internet of things spreads into more and more areas, increasing numbers of medical devices are now connected, making them vulnerable to cyber attacks that could shut down medical processes, expose critical hospital and patient data, and ultimately put patient safety at risk.

Many medical devices are not built with cybersecurity in mind, yet a survey by Deloitte Cyber Risk Services of over 370 professionals organizations operating in the medical device/IoT arena shows that 36.5 percent have suffered a cyber security incident in the past year.

Indeed, 30.1 percent of respondents say identifying and mitigating the risks of fielded and legacy connected devices presents the industry's biggest cyber security challenge. Additional issues that connected medical devices present include embedding vulnerability management into the design phase of devices (19.7 percent), monitoring and responding to cyber security incidents (19.5 percent), and lack of collaboration on cyber threat management throughout the connected medical device supply chain (17.9 percent).

"It's not surprising that managing cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers, and regulators," says Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte & Touche. "Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls. Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product's entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution."

To guard against threats, Deloitte recommends that organizations implement a document hierarchy. To formalize, organize, and structure medical device cyber security activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations.

They should also conduct at least annual product security risk assessments, and treat risk assessment procedures as ongoing processes that are when business changes occur. They to take a forensic approach to incident response too, establishing the incident timeline, detecting anomalous behavior, and identifying what data was accessed and exposed.

Image credit: Mindscape studio / Shutterstock