Earlier this month at the HIMSS Healthcare Security Forum, Dr. Christian Dameff, UCSD Emergency Physician and Clinical Informatics Researcher, presented new survey data, commissioned by UCSD and sponsored by MedCrypt, on previously adverse events resulting from medical device cybersecurity breaches. While the full scope of this research is planned for future publication in an academic research journal, information about the survey data and key findings have been made available.
The study includes input from executives surveyed at 40 of the largest medical device vendors (75%) and healthcare delivery organizations (25%) both within the United States and abroad. The researchers ensured only one participant from each organization was surveyed for this study and noted that the questions posed to respondents were based on the type of organization the respondent represented.
Survey respondents revealed the existence of Adverse Events where 100 to 1,000 patients were potentially harmed by a cybersecurity breach related to compromised healthcare IT systems. An Adverse Event is defined as physical patient harm such as a disability, incapacitation, death, increased length of hospital stay, or unnecessary hospitalization.
20% of those surveyed indicated that their organization did not implement new cybersecurity policies following the FDA’s pre and post-market cybersecurity guidance. 20% of those surveyed also indicated that their organization does not intend to implement new policies. The results are surprising given the FDA’s mandate that its cybersecurity guidance is mandatory. Despite the low level of current and expected compliance, 80% of survey responders believed cybersecurity risk for medical devices is greater than the risk perceived by the media.
The findings of this study align with much of a 2017 Synopsys study conducted by the Ponemon Institute, which found the medical device and healthcare delivery industries “under attack and unprepared to defend” themselves from attacks on digital medical devices. One contrasting outcome was the Ponemon study’s report that 44% of healthcare delivery organizations, compared to 20% in the MedCrypt-sponsored study, follow FDA guidance to mitigate security risks in medical devices.
In related news, study sponsor MedCrypt, who Medgadget interviewed earlier this year, announced $1.9M in new funding today let by Eniac Ventures. When reached for comment on what this capital means for the business, MedCrypt CEO Mike Kijewski responded:
“We’ve amassed a large sales pipeline of device vendors who see the value in building security features directly into their devices. This funding will help us accelerate the pace at which we can get our code into these devices.
In the next six months, we expect to see many new MedCrypt-enabled devices hitting the market. A year from now, we expect to have learned a lot about what “normal” device behavior looks like in the field, and be able to better spot anomalous behavior using those learnings.”