Provider executives say one-third of their medical devices are unpatchable

Provider executives remain concerned about vulnerabilities in legacy devices. (Getty/cifotart)

Medical device cybersecurity remains a chief concern for health IT executives who say manufacturers are largely to blame for vulnerabilities, particularly with older legacy devices.

Nearly one-third of health IT executives at provider organizations are concerned that a lack of medical device cybersecurity will lead to disruptions in patient care, according to a new survey by KLAS and the College of Healthcare Information Management Executives (CHIME) that included responses from nearly 150 provider organizations.

According to the survey, each provider organization has an average of 10,000 connected medical devices, one-third of which are deemed unpatchable.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Nearly 1 in 5 (18%) of respondents said they had medical devices hit by a ransomware or malware attack in the last 18 months, but those attacks did not involve patient information and did not trigger an audit by the Department of Health and Human Services' Office for Civil Rights.

“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” CHIME CEO Russell Branzell said in a statement. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”

Almost unanimously, respondents underscored concerns about legacy devices with out-of-date operating systems, which have been a nagging concern among cybersecurity experts. In last year’s report, the HHS Cybersecurity Task Force floated the idea of a government-sponsored “cash for clunkers” approach to get legacy devices out of circulation.

Provider executives remain overwhelmingly critical of manufacturers, with 96% blaming device makers for the root causes of security. Still, 68% said organizational factors play a role in security issues, citing a lack of inventory visibility as a top concern.

RELATED: FDA to include cybersecurity ‘bill of materials’ in medical device premarket guidance

Executives independently raised concerns about confusion surrounding FDA policies. Even without a specific survey question, respondents said medical device manufacturers use FDA policies as an excuse not to patch equipment, leaning on the myth that security updates require 510(k) clearance.

That could change as the FDA takes on a larger role in medical device cybersecurity. Last week, the agency issued new guidance for hospitals to respond to a medical device cyberattack. The agency also plans to recommend manufacturers include a “bill of materials” to help hospitals with inventory management.

Earlier this year, FDA Commissioner Scott Gottlieb, M.D., said the agency plans to create a “go-team” for medical device cybersecurity.

Suggested Articles

With National Doctors’ Day coming up this week, a new report finds that Montana is the best state in the country for physicians to practice.

Highmark reported a more than $500 million boost in its revenues for 2018, reaching nearly $18.8 billion last year, according to financial documents.

Ramping up value-based care initiatives and improving the patient experience are top priorities for health IT leaders in 2019, a recent survey found.