Medical device industry 'not doing enough on cybersecurity'

The medical device industry appears to be under siege by cybercriminals, but it isn't taking steps to defend itself, according to two separate reports.

Over the next 12 months, two thirds of medical device manufacturers and more than half of healthcare delivery organizations (HDOs) say that a cyber-attack on one or more medical devices built or in use by their organization is 'likely' or 'very likely'.

Despite the threat, a survey by IT research organization the Ponemon Institute and chip security company Synopsys reveals that only 17% of device makers and 15% of HDOs are actively taking steps to tackle the problem, although a third were aware of the potential adverse effects to patients of an insecure medical device.

The study also found that around half (49%) of device manufacturers were not using guidance from the FDA about how to secure devices. And worryingly, it seems testing of medical devices rarely occurs. Only 9% of manufacturers and 5% of HDOs said they test medical devices at least annually, and 53% of HDO and respondents said they either do not test or are unaware if this takes place. That was also the case for 43% of device companies.

"The healthcare industry continues to struggle when it comes to software security," according to said Mike Ahmadi, global director of critical systems security for Synopsys.

"The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure."

The reported lack of awareness is a particular worry, given that device security has been hitting the headlines for some times. In 2013, former U.S. Vice President Dick Cheney had the wireless capabilities of his pacemaker disabled to thwart possible assassination attempts, and just last year Johnson & Johnson warned customers that one of its wireless insulin pumps was vulnerable to hacking, with St. Jude Medical accused of having poor security for its cardiac implants.

So far there are no recorded incidents in which medical device hacking has caused patient harm, but the potential is clearly there, according to the authors of a separate study which looked at the vulnerability of pacemaker devices.

The second report—from WhiteScope—focused on a review of seven pacemaker programmers (a special computer used to monitor and adjust pacemaker devices) from four different device manufacturers and found no fewer than 8,000 known vulnerabilities that they say "highlights an industry wide issue associated with software security updates."

The picture described is one of an industry that is not using relatively simple steps such as keeping software up to date, failing to encrypt data, and not making sure only authenticated programmers can link to pacemakers. The authors also note that the four manufacturers all say they ensure devices are returned to them after use by a hospital, but they can easily be found on auction websites.

"We hope that pacemaker manufacturers work together to share innovative cyber security designs and compete on user experience and health benefits as opposed to competing on cybersecurity," they write in a blog post.