Many Providers Lack Dedicated Budget For Connected Medical Device Security

Posted on November 5, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new vendor survey has concluded that while most providers haven’t dedicated much of their budget specifically to managing and securing connected devices, most are convinced they have the situation under control.  Rightly or wrongly, this seems to be part of a larger picture in which support for connected health devices hasn’t matured as much of the rest of the IT infrastructure.

The survey, which was conducted by Zingbox, developer of a healthcare Internet of Things analytics platform, collected responses from about 200 healthcare IT professionals in 200 clinical/biomedical engineers in the U.S., weighting results to US census levels for age, gender, region, and income.

According to Zingbox researchers, 87% of healthcare IT professionals responding to the survey said they were confident that their connected medical devices were protected from cyberattacks, and 79% said that their organization had real-time information of which on these devices might be vulnerable to cyberattacks.

Also, 69% said they believe that existing security solutions using secure laptops and servers were capable of securing their connected medical devices. Not surprisingly, the vendor’s report argued that this may not be the case, given that they aren’t designed to support on-device security solutions like anti-virus software, and that the blocking ports or protocols via gateways lead to problems that include device malfunction.

When asked whether their organizations had a budget allocated specifically to securing connected medical devices, 53% said yes, and that the amount was sufficient, while 41% said no, that they didn’t have dollars allocated to the problem or hadn’t set aside enough dollars. (I’d be interested to know how they decided whether their device security was adequate; given the relative youth of this category their standards might be worth a look.)

Meanwhile, roughly 85% of clinical/biomedical engineers said they were confident they had an accurate inventory of connected medical devices in their network, with 64% of respondents noting that such device inventories were completed manually. Thirty-four percent said they did a manual room-to-room audit to get this job done, and about 30% said they did static asset management.

To determine which devices were in use, 55% of respondents said they did so manually, while 38% said they used an automated solution. Of those clinical/biomedical engineers doing manual checks, 28% walk over to the device location to check in person, and 27% find out by contacting someone.

To keep these devices online, 73% of these engineers said they conducted maintenance on a fixed schedule, including 29% that followed manufacturer recommendations, 27% adhering to internal schedules and 17% taking a cue from reseller recommendations.