Deloitte Cyber Risk Services reports that identifying and mitigating risks in IoT and legacy devices to be biggest challenge of IoT Medical Devices.
Now the bad news; Given the IoT’s poor track record with security, it makes such devices vulnerable to cyberattacks, and such attacks could have grave consequences including shutting down critical medical processes and exposing patient data. This puts patient safety at great risk.
IoT medical devices don’t have security in mind
Despite this, like most other IoT devices, smart medical devices are generally not built with security in mind. A recent survey by Deloitte Cyber Risk Services found that of the 370 medical organizations polled, 36.5 percent have suffered a cyberattack in the past 12 months. 30 percent of respondents added that identifying and mitigating the risks of connected devices is their biggest security challenge.
[ Related: Testing Medical Device Integration in the IoT ]
Deloitte also reports that 19.7 percent said embedding vulnerability management into the design phase of devices was their big challenge, and 19.5 percent said it was monitoring and responding to security incidents. Nearly 20 percent (17.9 percent) said their biggest challenge was the lack of collaboration on security and threat management throughout the smart medical device supply chain.
No silver bullets for medical IoT security
“It’s not surprising that managing cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers, and regulators,” says Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte.
[ Related: Blockchain, IoT, AI Will Converge in Healthcare ]
“Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls,” Jones said. “Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product’s entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution.”
Just over 55 percent said they felt their organization was somewhat prepared to address internal investigations, regulatory matters or litigation relating to medical device security incidents in the last 12 months. Just 18% said they were very prepared and 12 percent said they weren’t prepared at all.