Second Annual Healthcare Survey on Connected Medical Device Security

Transcription

1 Second Annual Healthcare Survey on Connected Medical Device Security 2018

2 Executive Summary The vast majority of healthcare IT professionals are very confident that their connected medical devices are protected from cyberattacks, according to the 2018 Zingbox Second Annual Connected Medical Device Survey. IT professionals said that they have real-time insight into device vulnerabilities and are well-prepared for the next cyberattack. Unfortunately, the survey also revealed that this confidence is based on the prevailing misconception that traditional IT security solutions can adequately secure connected medical devices. The survey also sought input from clinical and biomedical engineers, who said that they are very confident about the accuracy of their connected medical device inventory, despite the fact that the most common inventory method they use is manual room-to-room audits. Survey responses also showed that clinical and biomedical engineers lack automated tools to verify which devices are in use prior to servicing, and they rely on fixed-schedule maintenance instead of real-time device usage data. Key Findings 87 percent of healthcare IT professionals are confident that their connected medical devices are protected in the event of a cyberattack 69 percent of healthcare IT professionals believe that traditional security solutions designed for laptops and desktops can adequately secure connected medical devices 85 percent of clinical and biomedical engineers are confident that they have an accurate inventory of all connected medical devices 64 percent of responses from clinical and biomedical engineers indicate the use of manual roomto-room audits or static databases to inventory connected medical devices About the Survey In October 2018, Zingbox conducted its second annual Connected Medical Device Security survey. This year, Zingbox expanded the participant pool beyond healthcare IT professionals to include clinical and biomedical engineers who play crucial roles in day-to-day operations of connected medical devices. Zingbox also expanded the survey questions to cover topics of device inventory and maintenance in addition to security. The survey collected responses from more than 200 healthcare IT professionals and 200 clinical and biomedical engineers in the U.S. The results were weighted to the U.S. census for age, gender, region, and income. 1

3 SURVEY REPORT Confidence in Connected Medical Device and Security Real-time insight into the vulnerabilities of connected medical devices is a critical first step in assessing an organization s overall security posture and readiness for the next wave of cyberattacks. As WannaCry and other recent malware and ransomware attacks have shown, lack of real-time insight into device vulnerabilities can leave healthcare providers unprepared for the possible widespread impact of such attacks. Healthcare IT professionals were asked if they felt that they had real-time information about which connected medical devices may be vulnerable to cyberattacks. They were also asked if they felt confident that their connected medical devices would be protected in case of a cyberattack. Do you agree with the statement My organization has real-time information on which connected medical devices may be vulnerable to cyberattacks? Approximately 79 percent of healthcare IT professionals believe they have real-time information on which connected medical devices may be vulnerable to cyberattacks. This is a slight increase compared to the 2017 survey result of 76 percent. Healthcare IT professionals were equally bullish when asked whether they were confident that their connected medical devices would be protected in case of a cyberattack 87 percent of them said they were. This is just a few percentage points below the 2017 survey result of 90 percent. Are you confident that your connected medical devices are protected in case of a cyberattack? These overwhelmingly positive responses belie the true state of connected medical device security and show that there is pervasive confusion about what it takes to effectively secure these devices. Legacy solutions and static data have led to overconfidence that is often detrimental to the healthcare organization. Instead, confidence must be based on the latest technologies that offer accurate and real-time data. 2

4 Dependence on Traditional Security Solutions As with any sound security practice, pairing the appropriate security technology with the traits and behaviors of the asset or devices being secured yields optimal results. Such practice is paramount for connected medical devices, which have unique designs and requirements. Unlike traditional IT devices, connected medical devices are not designed on standardized hardware or operation systems, making the patch process extremely difficult. They are not designed to support on-device security solutions such as anti-virus software, and blocking ports or protocols via gateways can produce unexpected results, including device malfunction. With the unique characteristics of connected medical devices in mind, healthcare IT professionals were asked whether they felt that the traditional security solutions used to secure laptops and servers can also secure their connected medical devices. Do you agree with the statement Traditional security solutions used to secure laptops and servers can secure our connected medical devices? More than 69 percent of healthcare IT professionals believe that traditional security solutions such as the ones used for laptops and servers can secure connected medical devices. This is a slight decrease from the 2017 survey result of 72 percent. This finding is alarming for two reasons. First, despite the advancements made in the healthcare industry, many professionals continue to rely on security solutions designed for IT to secure Internet of Things (IoT) devices such as connected medical devices. Various healthcare providers have described how this approach presents inherent challenges and yields unsatisfactory results. It s alarming that this perception continues to persist. Second, much of the healthcare professionals confidence about device protection and real-time device vulnerability expressed in this survey is based on applying their past experiences with traditional IT security solutions to a very different connected medical device environment. This false sense of security can be disastrous for healthcare organizations who will be caught unprepared for the next round of ransomware or malware attacks. 3

5 SURVEY REPORT Security Budget Allocation Until recently, many healthcare organizations had not allocated budget for the security of connected medical devices. However, this trend is changing as organizations experience a rise in cyberattacks targeting connected medical devices and disrupting their ability to provide care. Other organizations have also recognized the need for a separate budget to align with the unique characteristics and requirements of connected medical devices. Despite these encouraging trends, the survey results indicate that many healthcare organizations are still not investing enough in connected medical device security. The survey asked healthcare IT professionals whether their organizations had budget allocated for the security of connected medical devices. Does your organization have budget allocated to specifically secure connected medical devices? Approximately 41 percent of healthcare IT professionals acknowledged that they either do not have a separate budget, or the allocated budget is not sufficient to secure connected medical devices. This response provides a glimpse into the lack of alignment between the organization s business spend compared with their security needs. Despite healthcare IT professionals confidence about the security of their connected medical devices, 4 out of every 10 IT professionals feel that the organization s budget is not aligned with their needs. A lack of priority in budget allocation is particularly alarming, since it forces IT professionals to continue to rely on traditional security solutions rather than on deploying solutions designed specifically for connected medical devices. 4

6 Device Inventory This year s annual survey has been expanded to include clinical and biomedical engineers who often provide the first line of support for connected medical devices. They are also responsible for maintaining accurate device inventory. In addition to ensuring the availability of devices for uninterrupted care, device inventory amounts to an organization s attack surface in other words, its possible exposure to cyberattacks. Hence, maintaining real-time and accurate device inventory is critical to ensuring the security of connected medical devices and an organization s overall security readiness. The survey asked clinical and biomedical engineers whether they felt confident that they had real-time and accurate inventory. They were also asked how they conduct device inventory today. Are you confident that you have an accurate inventory of all connected medical devices deployed in your organization? Approximately 85 percent of clinical and biomedical engineers are confident that they have an accurate inventory of connected medical devices in their networks. Approximately 64 percent of responses indicate that device inventory is conducted manually. Manual room-to-room audit is the most common method of inventory, comprising 34 percent of responses. Unfortunately, the survey reveals that this confidence about the accuracy of device inventory is misplaced. What process do you use to inventory connected medical devices? Room-to-room auditing the most common inventory process specified in the survey is very resource-intensive, susceptible to human error, and nearly certain to be outdated by the time it s completed. Static asset management solutions are only as accurate as the manual entries inputted into the system and quickly become obsolete as devices are relocated, updated, or retired. 5

7 SURVEY REPORT Device Servicing Clinical and biomedical engineers face a well-known hurdle when scheduling device services. Naturally, connected medical devices should be scheduled for service when they are not in use by patients. The challenge arises in efficiently identifying when the devices are in use and when they are not. Accurate and real-time device usage data can greatly streamline the device service scheduling and related processes. Clinical and biomedical engineers were asked how they determine if the device is in use before scheduling device service. How do you determine if a connected medical device is currently in use before servicing it? More than half of the responses from clinical and biomedical engineers indicate that they have to manually check if the device is in use before scheduling service. Approximately 28 percent of responses indicate that clinical and biomedical engineers must walk over to the device location to manually check in person that the device is not being used. When relying primarily on manual verification, it s all too common for device services to be scheduled, all preparations conducted, and clinical and biomedical engineers dispatched to the device location only to find out that the device is currently in use. Often there is no other recourse than to reschedule the service for another date and time and hope for a better outcome. Organizations can better utilize clinical and biomedical engineering resources if they can proactively monitor devices and schedule services when devices are not in use. 6

8 Device Maintenance Connected medical devices traditionally follow fixed schedule-based maintenance plans often recommended by manufacturers, resellers, or others. Although a simple process and schedule to follow, this approach does not factor in device usage, which can greatly vary across different departments on the same campus. Some healthcare providers are adopting Alternative Equipment Maintenance (AEM) programs, which allow adjustments to the recommended inspection and maintenance schedule. The survey asked clinical and biomedical engineers what processes they use to conduct preventative maintenance on connected medical devices. What processes do you follow to conduct preventative maintenance on connected medical devices? Approximately 73 percent of responses from clinical and biomedical engineers indicate that they follow some form of fixed schedule. The fixed schedule process based on manufacturer recommendations leads the pack, with 29 percent of responses. Not surprisingly, many healthcare organizations continue to rely on a fixed schedule for device maintenance. To implement AEM programs, organizations must have reliable tools in place to be able to assess the device utilization with a high level of accuracy. With the right solution in place, however, organizations can implement AEM programs based on device utilization while avoiding unnecessary and costly maintenance. 7

9 SURVEY REPORT Conclusion and next steps In the past year, the healthcare industry has made great strides in focusing its resources on the security of connected medical devices. However, this year s survey illustrates that much more work still remains. The biggest hurdle continues to be IT professionals misperception that traditional IT security solutions can adequately protect connected medical devices. The false sense of security that results from this belief can leave many organizations unprepared for the next cyberattack. Unfortunately, we saw very little change in respondents mindsets from those in last year s survey. Clinical and biomedical engineers also show similar misunderstandings. For example, because they rely on manual processes for device audits with room-to-room auditing being the most popular method their high confidence in the accurate inventory of connected medical devices cannot be substantiated. They still heavily rely on legacy processes, frequently having to manually check devices in use prior to servicing and follow a fixed device maintenance schedule. Adopting technologically advanced and up-to-date solutions would significantly streamline decades-old processes as well as reduce maintenance expenses. This survey revealed several disconnects: between perceived device security and actual security coverage available from traditional IT solutions; between the need for modern security solutions and the lack of budget supporting such initiatives; and between the perceived accuracy of device inventory and the manual processes required to maintain a comprehensive account of devices used. These gaps between common perceptions and real-world security environments should serve as a wake-up call to the industry. However, there are steps that healthcare organizations can take to combat the confusion and disconnect in the market: Evaluate modern security solutions designed specifically for the unique characteristics of connected medical devices Seek out a security solution that interoperates with existing services and solutions (i.e., CMMS and NAC solutions) to maximize ROI Seek out solutions that extend beyond security to include device discovery, utilization, onboarding, and operational insight About Zingbox Zingbox is the provider of the most widely deployed healthcare Internet of Things (IoT) analytics platform and a leader in healthcare IoT research. Zingbox helps hospitals realize the full potential of their IoT medical devices, delivering a new standard for uninterrupted quality care through device inventory, management, security, and optimization for the entire IoT environment. The company s device-specific AI-powered machine learning platform uses the first real-time deep behavioral learning technology for connected medical devices. 8

10 465 Fairchild Drive Suite 207 Mountain View CA Zingbox.com