This article was originally written and posted on Health IT Security by Jessica Davis on November 16, 2018.
According to a new report, both administrators and providers want to better protect patient data but aren’t confident in staffing, awareness, and training.
About 75 percent of providers and 62 percent of administrators feel underprepared to face cybersecurity risks, due to staffing, training, and awareness, according to a new report from medical device manufacturer Abbott and the Chertoff Group.
The analysis is based on a study of 300 physicians and 100 hospital administrators on the cybersecurity challenges they face in the hospital setting.
But while the report found 92 percent of surveyed providers and 91 percent of hospital administrators understand cybersecurity should be a priority, they don’t feel adequately prepared to handle it due to inadequate training.
The report also examined their cybersecurity posture around medical devices and the results were even more dismal: Only 15 percent of providers and 45 percent of administrators have seen or read a medical device security advisory in the last six months.
The respondents overwhelmingly stressed that cybersecurity should be a shared responsibility among all of healthcare stakeholders, with 82 percent of providers and 73 percent of administrators calling for industry-wide standards and language around connected medical device security.
The report echoes similar findings from a Rave Mobile Safety report released in October. Healthcare cybersecurity is one of the top safety concerns in the hospital setting, but most are concerned about preparedness.
For the past few years, medical device security concerns have been top of mind for the healthcare sector. The Food and Drug Administration has fueled the shift into greater standards and an easier method for vendors to report device vulnerabilities.
In fact, since FDA released its cybersecurity guidance in 2016, medical device vendors reported 400 percent more vulnerabilities per quarter, according to research from MedCrypt.
But to Abbott and Chertoff researchers, there’s still a lot more work to be done. The healthcare industry needs to work together on three key areas: industry-wide standards and cybersecurity by design, investment in cybersecurity incident response processes, and improved education, focus and training.
To Bennet Waters, Principal and Head of the Chertoff Group’s Strategic Advisory Services, the evolving threat landscape requires the healthcare sector to be better informed about threats and how to combat them.
“Engagement across all members of the healthcare ecosystem is critical to ensure that the cybersecurity investments being proposed are effective in clinical environments and that proper cyber hygiene is being applied at every level to contain and minimize risk,” Waters said in a statement.
“Working together, this community can ensure that patients continue to receive the benefits of today’s connected medical devices, which means more responsive and effective care,” he added.
In response to these growing threats and in addition to FDA’s work around cybersecurity, other federal groups are working to continue the work started by the Department of Health and Human Services Health Care Industry Cybersecurity Task Force of 2017.
Specifically, the National Telecommunications and Information Administration (NTIA) is working with multiple stakeholders to create greater transparency around software components. Several IT and medical device stakeholders are working on how to build, share and use a software bill of materials to reduce cyber risk.
“Industry should not compete on cybersecurity, but should provide assurance to patients that any device meets the same high standard,” the report authors wrote. “A healthcare community-wide approach with leadership from industry, regulators and health delivery organizations can help drive progress to give patients and physicians confidence in the cybersecurity of medical devices.”