When it comes to cybersecurity in the medical device field, awareness is no longer the problem, but recognizing the threat isn't enough. As more cybercriminals target the healthcare space, medical device professionals are realizing their firms aren't ready to deal with the threat and are identifying the key hurdles to a stronger defense.

High-profile cases of devices at risk of hacking as well as hospitals and health systems besieged by ransomware attacks have made cybersecurity in the healthcare field front page news. Many device professionals are all too familiar with the issue. In a poll conducted during a May Deloitte Dbriefs webcast, "Medical devices and the Internet of Things: A three-layer defense against cyber threats," 35.6% of the more than 500 voters said a cybersecurity incident had impacted their organization in the last year.

These votes came from professionals at medical device and component companies and healthcare IT organizations, as well as medical device users and regulators.

Of the 371 voters who responded to a question, "how prepared is your organization to address litigation, internal investigations, or regulatory matters related to medical device cybersecurity incidents in the next 12 months," only 18.6% said their organizations were "very prepared." Another 55.8% said "somewhat prepared" while 12.7% responded with "not prepared." Another 12.9% chose "other/no opinion."

Asked to identify the biggest challenges for the industry on the cybersecurity front, 30.1% of participants pointed to "Identifying and mitigating the risks of fielded and legacy devices" as the top hurdle. As MD+DI has reported, legacy devices may use older versions of operating systems and may lack endpoint security software, making them an easier target and point of entry into a hospital network.

"It's not surprising that managing cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers, and regulators," Russell Jones, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP, said in a press release. "Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls."

Another 19.7% of the survey participants said that "Embedding vulnerability management into the design phase of medical devices" is the top cybersecurity-focused challenge for the industry.

Jones said, "Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product's entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution."

Other major hurdles include "Monitoring and responding to cybersecurity incidents," (19.5% of votes) "Lack of collaboration on cyber threat management throughout connected medical device supply chain," (17.9%) and "Meeting regulatory requirements" (8.4%).

In the press release on the poll findings, Deloitte offers advice for medical device organizations to bolster their preparations for a cybersecurity incident: "Implement a document hierarchy," "Conduct annual--at minimum--product security risk assessments," and "Take a forensic approach to incident response."

"Forensic analyses responding to regulator, litigant, or whistleblower concerns may even help predict the next moves of cyberattackers," Scott Read, Deloitte Risk and Financial Advisory principal, Deloitte Transactions and Business Analytics LLP, said in the release.

Marie Thibault is the managing editor at MD+DI. Reach her at [email protected] and on Twitter @MedTechMarie.

[Image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]