Study, legacy and fielded medical device risks pose the greatest cybersecurity challenge.
Study, legacy and fielded medical device risks pose the greatest cybersecurity challenge.

Legacy and fielded medical device risks pose the greatest cybersecurity challenge to the connect device ecosystem, a recent Deloitte study found.

Of the 370 professionals surveyed, 30.1 percent reported that identifying and mitigating the risks of fielded and legacy connected devices is one of the medical device industry's biggest cybersecurity challenges, according to the Deloitte poll.

Embedding vulnerability management into the design phase of medical devices was the next biggest challenge with 19.7 percent of respondents choosing it as their biggest challenge. Nearly the same amount, 19.5 percent, said their monitoring and responding to cybersecurity incidents proved difficult.

Collaboration on cyber threat management throughout connected medical device supply chain proved to be a challenge for 17.9 percent of respondents. As a result of these threats, 35.6 percent of surveyed professionals said their organizations have experienced a cybersecurity incident in the past year.

To combat these difficulties, researchers recommend IT pros implement layered approach to security by, implement a document hierarchy, conducting an annual—at minimum—product security risk assessments, and taking a forensic approach to incident response.

“One common theme across all of these organizations is insufficient resource allocations to address medical device security,” a Deloitte spokesperson told SC Media. “Beyond the broad issue of funding, the most critical hurdle that these companies are facing is a lack of experienced product security practitioners with the in-depth knowledge to not only tackle the problems of today, but to design their devices to remain secure and resilient against the threats of tomorrow.”

Researchers said the medical device industry must focus to build and expand their efforts to design their devices to remain secure and resilient against the threats of tomorrow.

This includes establishing or enhancing asset management capabilities for connectable medical devices so that known vulnerabilities can be tagged to device types such as CT, infusion pumps, etc. and high-risk devices can be stratified for risk management purposes.

IT pros can also help minimize risk by actively participating in or joining an ISAO such as HITRUST (or join NH-ISAC), investing in cyber war gaming to pressure test the effectiveness of existing incident response processes and supporting technology, and investing in enhancing existing SIEM/log management implementations.

A lack of collaboration between providers, manufacturers, and suppliers contributes to the increased threat risk.

“We commonly see a breakdown in communication between these key stakeholders and much of this breakdown is attributable to lack of awareness into what the various stakeholders are responsible for or are capable of doing,” researchers said. “Transparent communication of security risks and responsibilities upfront (e.g., during procurement) can assist both device manufacturers and healthcare providers.”

Researchers said it's important to design, develop, and implement solutions across people, process, and technology by using experienced personnel to secure connected products throughout their lifecycle, developing better operational procedures both from a corporate level and product level, and looking toward automating processes wherever possible to increase consistency and efficiency and proactively identify security flaws.