Provider executives say one-third of their medical devices are unpatchable

Medical device cybersecurity remains a chief concern for health IT executives who say manufacturers are largely to blame for vulnerabilities, particularly with older legacy devices.

Nearly one-third of health IT executives at provider organizations are concerned that a lack of medical device cybersecurity will lead to disruptions in patient care, according to a new survey by KLAS and the College of Healthcare Information Management Executives (CHIME) that included responses from nearly 150 provider organizations.

According to the survey, each provider organization has an average of 10,000 connected medical devices, one-third of which are deemed unpatchable.

Nearly 1 in 5 (18%) of respondents said they had medical devices hit by a ransomware or malware attack in the last 18 months, but those attacks did not involve patient information and did not trigger an audit by the Department of Health and Human Services' Office for Civil Rights.

“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” CHIME CEO Russell Branzell said in a statement. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”

Almost unanimously, respondents underscored concerns about legacy devices with out-of-date operating systems, which have been a nagging concern among cybersecurity experts. In last year’s report, the HHS Cybersecurity Task Force floated the idea of a government-sponsored “cash for clunkers” approach to get legacy devices out of circulation.

Provider executives remain overwhelmingly critical of manufacturers, with 96% blaming device makers for the root causes of security. Still, 68% said organizational factors play a role in security issues, citing a lack of inventory visibility as a top concern.

RELATED: FDA to include cybersecurity ‘bill of materials’ in medical device premarket guidance

Executives independently raised concerns about confusion surrounding FDA policies. Even without a specific survey question, respondents said medical device manufacturers use FDA policies as an excuse not to patch equipment, leaning on the myth that security updates require 510(k) clearance.

That could change as the FDA takes on a larger role in medical device cybersecurity. Last week, the agency issued new guidance for hospitals to respond to a medical device cyberattack. The agency also plans to recommend manufacturers include a “bill of materials” to help hospitals with inventory management.

Earlier this year, FDA Commissioner Scott Gottlieb, M.D., said the agency plans to create a “go-team” for medical device cybersecurity.