More than half of provider organizations lack a strong degree of confidence in their medical device security, according to a survey by KLAS and the College of Healthcare Information Management Executives.
The majority of surveyed provider groups said they attributed security problems to the device manufacturers, particularly if the devices can't be properly updated or patched. The problem is widespread—affecting about a third of respondents' medical devices—and is exacerbated by the fact that medical devices tend to have long life cycles.
These unpatched and out-of-date devices are particularly susceptible to hackers, who can take advantage of vulnerabilities that otherwise have been patched.
That was what happened with the WannaCry ransomware in May 2017, when hackers targeted computers running outdated versions of Microsoft Windows.
"Medical device manufacturers make every effort to address cybersecurity throughout the product lifecycle," said a spokesperson from the Advanced Medical Technology Association, a medical device trade group. "Cybersecurity is a shared responsibility among all healthcare stakeholders, and all players must do their part."
About 18% of provider organizations surveyed by KLAS experienced malware attacks on medical devices in the past 18 months.
Some organizations have been looking to the Food and Drug Administration for guidance. Since WannaCry hit, the agency has released its Medical Device Safety Action Plan, which includes suggestions for improved security. Earlier this week, the FDA, in collaboration with the Mitre Corp., launched a "regional incident preparedness and response playbook" for medical device cybersecurity.
FDA Commissioner Dr. Scott Gottlieb said the agency would update its 2014 premarket guidance for devices in the coming weeks.
But respondents to the KLAS-CHIME survey still took issue with FDA policies, which they said restricted them to the point of being unable to strengthen their devices' security.
Security isn't just an external issue. More than 76% of respondents said a lack of resources limited their security capabilities.
"Our members are looking for ways to safeguard these devices, but they need resources and support to be effective," CHIME CEO and President Russell Branzell said in a statement.
Insufficient resources might cause organizations to keep inaccurate inventories of their devices and their devices' security.
Some are calling for manufacturers to supply users with software bills of materials, so they know what components are in their systems, said Jessica Wilkerson, a professional staff member for the House Energy and Commerce Committee, speaking at CHIME's Advocacy Summit Thursday. "You can't protect what you don't know you have."