More than one-third of medical device professionals reported that their organizations have experienced a cybersecurity incident in the past year, according to a recent survey.

In addition, the Deloitte poll found that 37% of respondents said that their organizations did not experience such an incident in the last year, while 27% said they didn’t know if they did. The poll respondents include professionals from medical device or component manufacturers, healthcare IT organizations, medical device users, and regulators.

The respondents also said that identifying and mitigating the risks of fielded and legacy-connected devices presents the industry’s biggest cybersecurity challenge, with 30% saying that was the top risk. They also listed embedding vulnerability management into the design phase of medical devices (20%), monitoring and responding to cybersecurity incidents (20%), and lack of collaboration on cyberthreat management throughout the connected medical device supply chain (18%).

Post-incident risk management also was a concern. Only 19% said their organizations are “very prepared” to address litigation, internal investigations, or regulatory matters related to medical device cybersecurity incidents. Fifty-six percent said they were “somewhat prepared,” and 13% said they were not prepared to address these issues in the next year.

The report is available online at: