Ponemon Study Supports CORL’s Findings on Deficiencies on Medical Device Security


The Ponemon Institute recently released the results of the study, "Medical Device Security: An Industry Under Attack and Unprepared to Defend,” which highlights critical security deficiencies in medical devices.

Highlights from the reports show that:

  • 67% of medical device manufacturers and 56% of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months.
  • Roughly 1/3rd of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk, only 17% of device makers and 15% of HDOs are taking significant steps to prevent such attacks. 
  • Only 44% of HDOs follow guidance from the FDA to mitigate or reduce inherent security risks in medical devices.
  • 60% of device makers and 59% of HDOs do not share information about security risks with clinicians and patients.

This report comes on the heels of the CORL study focusing on healthcare vendor security risk management, and backs findings that vendors in the medical device industry sector were consistently associated with weak information security postures. According to the whitepaper by sister company Meditology Services - Hijacking Your Life Support: Medical Device Security - “medical devices have become a gateway to a healthcare organization’s domain, opening the door to a trove of patient health information and regulated data.”

Specifically, CORL’s findings showed that high risk medical device vendors had:

  • Limited or informal processes to build security requirements into system development, implementation and engineering functions.
  • Limited or informal vendor security risk management functions to protect against supply chain threats. 
  • Limited ability to provide remote support capabilities in a secure manner.
  • Inconsistent screenings of workforce members upon hiring and very limited re-screening of individuals with access to customer data.

CORL recommends that healthcare organizations require medical device vendors to align with industry leading security standards, and get a 3rd party security certification.

How does your vendor security risk management program stack up?

Email us to learn how we can help improve it.