CHIME-KLAS Survey Measures Providers’ Confidence in Medical Device Security Programs
WASHINGTON, D.C, Oct. 5, 2018 – A survey of healthcare IT executives found that 18 percent of provider organizations had medical devices impacted by malware or ransomware in the last 18 months, although few of these incidents resulted in compromised protected health information or an audit by the Office for Civil Rights, U.S Department of Health and Human Services. Only 39 percent of respondents said they were very confident or confident that their current strategy protects patient safety and prevents disruptions in care. Although organizations are making headway developing and maturing their overall security programs, progress has been slow, particularly when it comes to securing medical devices.
The survey was conducted by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) to examine the current state of the medical device security industry and identify best practices. The results were scheduled to be presented today at the CHIME Advocacy Summit in Washington, D.C., and will be available free to providers.
“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” said Russell Branzell, president and CEO of CHIME. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected. Our members are looking for ways to safeguard these devices, but they need resources and support to be effective.”
“Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers,” said Adam Gale, president of KLAS. “Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time consuming, toward developing a mature program. We also are seeing some manufacturers being more proactive and accountable.”
A total of 148 chief information officers (CIOs), chief security information officers (CISOs), chief technology officers (CTOs) and other professionals at provider organizations were interviewed about their medical device security programs, the challenges they face in securing medical devices and how they are tackling these challenges. Most of the interviews were with hospital and integrated delivery network employees although some respondents worked in midsize to large physician practices.
Medical devices were defined as “biomedical devices used by healthcare-delivery organizations in the pursuit of patient care.” This definition excludes patient use devices (such as pacemakers) as well as non-medical devices (such as laptops and tablets.)
According to the benchmarking report, “Medical Device Security 2018,” respondents cited patient safety as their top concern with unsecured medical devices. Larger organizations were more likely to be targeted by cyber criminals, but they also were more likely to have mature security programs. Organizations that were confident about their medical security programs cited solid security policies and procedures as the leading reason for their confidence, followed by strong technology. Those that lacked confidence in their medical device security cited lack of manufacturer support as the top reason, followed by lack of asset and inventory visibility.
Overall, 96 percent identified manufacturer-related factors as a root cause of medical device security issues. Nearly all respondents reported struggles related to out-of-date operating systems or the inability to patch devices, which are major security risks. On average, respondents said the manufacturers for almost one-third of their medical devices have told them that they cannot be patched.
The survey did not ask about the Food and Drug Administration’s (FDA) role in medical device security, but many respondents raised it as an issue. Almost two-thirds said manufacturers blame FDA policies, claiming the policies prevent them from making devices more secure. About a third said FDA policies are unclear, giving manufacturers ways to skirt around responsibility and a third said that even when policies are clear, the FDA doesn’t hold manufacturers accountable.
Internal factors also were a concern. Some 76 percent reported that their resources are insufficient and too strained to adequately secure medical devices. Almost half cited poor asset and inventory visibility as a top organizational factor, followed by ambiguous security ownership and responsibility.
Although many remained concerned about their medical device security, they also reported improvements to security programs compared to a year ago. Twenty-seven percent considered their security programs to be fully functional and 47 percent said they were developed or starting to function in 2018, compared to 16 percent and 41 percent, respectively, in 2017.
The College of Healthcare Information Management Executives (CHIME) is an executive organization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs) and other senior healthcare IT leaders. With more than 2,700 members in 51 countries and over 150 healthcare IT business partners and professional services firms, CHIME provides a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate; exchange best practices; address professional development needs; and advocate the effective use of information management to improve the health and healthcare in the communities they serve. For more information, please visit chimecentral.org.
About KLAS Research
KLAS Research is a research and insights firm on a global mission to improve healthcare delivery by amplifying the provider’s voice. Working with thousands of healthcare professionals and clinicians, KLAS gathers data and insights on software, services and medical equipment to deliver timely reports, trends and statistical overviews. The research directly represents the provider voice and acts as a catalyst for improving vendor performance. Visit KLAS Research.
Director of Communications and Public Relations, CHIME