‘Organizations need to start carefully examining what they’re doing’
MOUNTAIN VIEW, Calif. – Medical device makers and health care providers are unprepared for possible cyberattacks, according to a study released recently by security company Synopsys.
“This report doesn’t paint a good picture at all for the industry,” said Mike Ahmadi, director of critical systems security, software integrity group, at Synopsys.
Despite the likelihood of an attack, only 17% of device makers and 15% of health care providers are taking significant steps to prevent attacks, the report found.
More specifically, the report found that 67% of device makers believe an attack on one or more of their devices is likely and 56% of health care providers believe such an attack is likely. Further, only 22% of health care providers say they have an incident response plan in place in the event of an attack and 41% of device makers say they have such a plan in place.
Ahmadi said there is a lot of regulation from the U.S. Food and Drug Administration to bring a medical device to market, but security is not a big part of the process.
“Once the device is at market, it’s even less so,” he said. “And devices become less secure over time.”
In fact, the report found that more than half of health care providers do not test medical devices for security issues or are unsure if testing occurs at all. More than 40% of device makers do not test the devices they have released to find new or previously unidentified vulnerabilities.
Ahmadi said the problem is the lack of bite from the FDA. He believes the most effective way to get companies and health care providers on board with medical device security is through incentives, not punishments or fines.
“We need to move from FDA guidance to solid, enforced requirements,” he said. “It’s absolutely critical.”
Ahmadi said the FDA has taken notice of the Synopsys report and has invited his team to come in and talk about how to address the problems the report found.
“It’s clear the game has changed pretty quickly,” said Ahmadi. “Organizations need to start carefully examining what they’re doing in terms of medical device security.”