Provider executives say one-third of their medical devices are unpatchable

Provider executives remain concerned about vulnerabilities in legacy devices. (Getty/cifotart)

Medical device cybersecurity remains a chief concern for health IT executives who say manufacturers are largely to blame for vulnerabilities, particularly with older legacy devices.

Nearly one-third of health IT executives at provider organizations are concerned that a lack of medical device cybersecurity will lead to disruptions in patient care, according to a new survey by KLAS and the College of Healthcare Information Management Executives (CHIME) that included responses from nearly 150 provider organizations.

According to the survey, each provider organization has an average of 10,000 connected medical devices, one-third of which are deemed unpatchable.

Conference

2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

Nearly 1 in 5 (18%) of respondents said they had medical devices hit by a ransomware or malware attack in the last 18 months, but those attacks did not involve patient information and did not trigger an audit by the Department of Health and Human Services' Office for Civil Rights.

“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” CHIME CEO Russell Branzell said in a statement. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”

Almost unanimously, respondents underscored concerns about legacy devices with out-of-date operating systems, which have been a nagging concern among cybersecurity experts. In last year’s report, the HHS Cybersecurity Task Force floated the idea of a government-sponsored “cash for clunkers” approach to get legacy devices out of circulation.

Provider executives remain overwhelmingly critical of manufacturers, with 96% blaming device makers for the root causes of security. Still, 68% said organizational factors play a role in security issues, citing a lack of inventory visibility as a top concern.

RELATED: FDA to include cybersecurity ‘bill of materials’ in medical device premarket guidance

Executives independently raised concerns about confusion surrounding FDA policies. Even without a specific survey question, respondents said medical device manufacturers use FDA policies as an excuse not to patch equipment, leaning on the myth that security updates require 510(k) clearance.

That could change as the FDA takes on a larger role in medical device cybersecurity. Last week, the agency issued new guidance for hospitals to respond to a medical device cyberattack. The agency also plans to recommend manufacturers include a “bill of materials” to help hospitals with inventory management.

Earlier this year, FDA Commissioner Scott Gottlieb, M.D., said the agency plans to create a “go-team” for medical device cybersecurity.

Suggested Articles

We need our federal programs and policies to reflect the goal of improving the health of both women and men.

Two lawsuits were filed suing the Trump administration to overturn a new rule that would allow healthcare workers to deny care over religious or conscience…

Policy changes are affecting how investors view the skilled home health market and paving the way for potential strategic acquisitions.