Medical devices are increasingly the targets of cyber thieves looking to get their hands on sensitive information. And the risks are growing rapidly.

As more devices connect to the Internet in order to feed patient data to health care providers and take advantage of the “big data” revolution, they have become more vulnerable to hackers. Thieves are preying on organizations’ poor cyber threat monitoring, lack of cohesive cybersecurity policies and weak data access controls, as well as inadequate device disposal practices.

A 2015 KPMG survey found that 81 percent of health care organizations had their data compromised within the previous two years. Common types of cyber attacks on devices include:

• Web application attacks, where thieves access information through third-party applications.
• Malware, including viruses, worms and spyware unknowingly placed on devices that can steal information.
• “Ransomware,” where malware locks a device, allowing a hacker to demand a monetary payment to unlock it.

Both device makers and the health care organizations that use medical devices must work to reduce their associated cyber risks. Earlier this year, the U.S. Food and Drug Administration released new guidelines that encourage medical device makers to implement practices to improve the cyber security of their products, including sharing cyber threat information with other manufacturers.

Organizations that want to implement the new FDA guidelines as well as improve their cybersecurity posture should consider a “one policy” approach. What this means: Rather than allowing every department of an organization—from corporate IT to legal and compliance—to handle cybersecurity their own way, they should develop a single policy that every department follows. This involves analyzing the top threats and then developing practices to minimize them.

Here are some other ways organizations can improve medical device security:

• Build cybersecurity features into new products and consider device security from concept through its eventual disposal.
• Enforce stronger device access controls and only authorize access to employees who require access.
• Conduct a routine assessment of cybersecurity vulnerabilities and establish set procedures for dealing with any vulnerabilities found.
• Establish a program and processes for facilitating timely and routine device software updates, including installing security patches and bug fixes.

Manufacturers and health care organizations that prioritize cybersecurity and take a holistic and consistent approach can greatly reduce their associated risks.