Topics
More on Risk Management

Medical devices pose increasingly serious cyber vulnerability to medical systems, due diligence needed before an attack, Deloitte says

Roughly 30 percent said pinpointing and mitigating the risks associated with medical devices is the industry's greatest cybersecurity challenge.

Beth Jones Sanborn, Managing Editor

As cybercriminals continue to wreak havoc on the healthcare industry, a recent Deloitte study reflects the aftermath. More than one-third of surveyed professionals in the "Internet of Things-connected medical device ecosystem" said their organizations had suffered cybersecurity incidents, and 30 percent said pinpointing and mitigating the risks associated with medical devices is the industry's greatest cybersecurity challenge.

"Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls, " said Russell Jones, Deloitte Risk and Financial Advisory partner. "Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product's entire lifecycle, but even this can lead to a more challenging procurement process. There is no magic bullet solution."

[Also: 'Warfare mindset' key to justifying cybersecurity investment, experts say]

Other challenges related to connected medical devices that respondents listed included embedding vulnerability management into the device's design, monitoring and responding to cybersecurity incidents, and the need for collaboration on cyber threat management throughout the device supply chain. Post-cyber incident concerns included a lack of preparedness for incident-related litigation, investigations, or regulatory issues.

Deloitte recommended several ways to help protect an organization from a cyber threat to its connected medical devices. First, "formalize, organize, and structure" medical device cybersecurity activities to ensure patient safety and be sure to respond quickly to regulators, legal matters, or internal investigations.  Work instructions and templates for each kind of medical device should be accessible and up to date, as should quality management system protocols and procedures.

[Also: Cyberinsurance options a 'Wild West' for healthcare organizations]

Product security risk assessments should be conducted annually, if not more often and should go beyond the minimum security requirements. Also, take a "forensic approach" when dealing with a cyber incident.

"Establish the incident timeline, detect anomalous behavior, and figure out what data was accessed and exposed. Forensic analysis can help your organization uncover facts as well as assist in determining what future actions you need to take in your response and remediation," Deloitte said.

Twitter: @BethJSanborn

Show All Comments