IoT medical devices aren't as secure as you think

Zingbox released the report of its second annual Healthcare Security Survey. The survey was expanded this year to include not only IT/IS professionals, but also clinical and biomedical engineers who play critical roles in managing and securing connected medical devices.

The survey revealed a contradiction between the confidence that healthcare professionals have in the visibility of connected medical devices and security of their networks, and the inefficient and ineffective legacy processes many still rely on to keep them secure.

Legacy Solutions Can’t Effectively Secure a Network of Connected Medical Devices

The vast majority of healthcare IT professionals feel confident that the connected medical devices in their hospitals are protected in case of a cyberattack:

79 percent say their organization has real-time information about which connected medical devices are vulnerable to cyber attacks
87 percent are confident that their devices are protected in the event of a cyber attack
69 percent feel traditional security solutions for laptops and PCs are adequate to secure connected medical devices
 
Unfortunately, their confidence is not justified. “Most organizations are thinking about antivirus, endpoint protection and firewalls, but there are many devices - like medical monitoring equipment - and no one is thinking about securing them,” said Jon Booth, Bear Valley Community Hospital District IT director and Zingbox customer. Additionally, as noted in a Gartner report, Market Trends: Five Healthcare Provider Trends for 2018 published in November 2017 notes: “Generally, medical devices are not replaced for at least 10 years, with many running old software that has not been updated or patched.”

And there are other challenges: the Zingbox survey revealed 41 percent of healthcare IT professionals do not have a separate or sufficient budget for securing connected devices.

Majority of Clinical and Biomedical Engineers Still Rely on Manual Processes for IoT Devices

When asked about inventory of connected medical devices, majority of clinical and biomedical engineers (85 percent) were confident that they have an accurate inventory of all connected medical devices even though many rely on manual audits, which are prone to human error and quickly become outdated. Additional responses from clinical and biomedical engineers include:

Close to two-thirds (64 percent) of responses indicate reliance on some form of manual room-to-room audit or use of static database to inventory the connected devices in their organization
Just 21 percent of responses say their devices receive preventative maintenance based on device usage as opposed to some kind of fixed schedule
 
The survey also shows that more than half (55 percent) of responses indicate clinical/biomedical engineers must walk over to the device or call others to check on their behalf whether a device is in-use before scheduling repairs. Many make the trip only to find out that the device is in-use by patients and must try again in the future hoping for better luck.

“Despite the recent progress of the healthcare industry, the survey exemplifies the continued disconnect between perception of security and the actual device protection available from legacy solutions and processes. Unfortunately, much of the current perception stems from the use of traditional solutions, processes and general confusion in the market,” said Xu Zou, CEO and co-founder of Zingbox. “Only by adopting the latest IoT technology and revisiting decade-old processes, can healthcare providers be well prepared when the next WannaCry hits.