Cybersecurity is a buzz word across all industries but perhaps nowhere is it more important that healthcare. Electronic health records contain tons of valuable data that is in high demand on the dark web.
TechNation contacted several industry experts to gather their insights on the critical topic of healthcare cybersecurity. Participants are:
• Perrish Dailey, vice president of cybersecurity, Renovo Solutions;
• Nadia ElKaissi, CHTM, biomedical engineer, healthcare technology management, VA Central Office (19HTM);
• Margaret Nardini, senior healthcare product manager, Accruent;
• Adina Schoeneman, principal product marketing manager, Claroty; and
• Haley Seubert, biomedical engineer, VA Eastern Colorado HealthCare System.
Q: WHAT DO YOU SEE AS THE BIGGEST CYBERSECURITY THREAT FACING HEALTHCARE TECHNOLOGY TODAY?
DAILEY: The biggest cybersecurity threat facing healthcare technology for medical devices today is the confluence of increasing connectivity and legacy vulnerabilities. While the shift towards interconnected medical devices offers significant benefits in terms of efficiency and patient care, many devices operate on outdated software and hardware, lacking modern security features. This creates a vast attack surface where vulnerabilities can be exploited to gain access to sensitive patient data and disrupt critical hospital systems. The sheer number of vulnerable devices across various manufacturers further exacerbates the challenge.
ELKAISSI: The biggest cybersecurity threat is the vulnerability of legacy medical devices that were not designed with modern cybersecurity threats in mind. These older devices often lack the necessary security features and can be an easy target for cybercriminals. Additionally, the increasing use of IoT (Internet of Things) devices in healthcare introduces more entry points for potential attacks, making it crucial to ensure that all devices are secure and regularly updated.
NARDINI: The biggest cybersecurity threat facing healthcare technology today is the vulnerability introduced by the increasing connectivity of medical devices and healthcare facility systems. While improving healthcare, the Internet of Medical Things (IoMT) and other connected systems expose sensitive data to cyberattacks. Threats like insecure firmware updates, physical attacks, and poorly protected communication points make healthcare environments prime targets for malicious actors. These vulnerabilities can compromise both patient safety and the integrity of healthcare operations.
SCHOENEMAN: The biggest threat facing healthcare technology today is simply incident preparedness. The Department of Health and Human Services has reported 800+ incidents under investigation and impacting healthcare providers as of recent. In this industry, we are no stranger to the impacts of ransomware, breaches, and other incidents. This is detrimental for day-to-day patient care and has everlasting operational impacts for healthcare organizations. As healthcare technology practitioners, we must put our best foot forward to be proactive in implementing cybersecurity measures remembering our guiding goal – the preservation of patient safety and uninterrupted availability of patient care.
SEUBERT: Vulnerabilities associated with outdated, unsupported, and legacy systems. Many medical devices and systems are behind on compatibility with latest operating systems and/or it takes a lot of time and is very costly to constantly replace them to stay up to date. Being on unsupported and outdated operating systems increases risks of cybersecurity threats and attacks.
Q: HOW HAS THE APPROACH TO CYBERSECURITY CHANGED IN HTM OVER THE LAST 5 YEARS?
DAILEY: Over the past five years, HTM cybersecurity has evolved from a reactive to a proactive, integrated approach. This shift prioritizes risk management, medical device security, and collaboration with IT, driven by increased regulatory scrutiny and awareness of the severe consequences of breaches. This includes enhanced staff training, proactive vulnerability management, stricter vendor management, and investments in advanced security technologies to better protect patient data and hospital operations.
ELKAISSI: Over the past five years, the approach to cybersecurity in HTM has evolved significantly. Initially, cybersecurity was often an afterthought, but now it has become a central focus. We’ve seen a shift from reactive to proactive strategies. This includes the implementation of more robust risk management frameworks, regular vulnerability assessments, and the integration of cybersecurity measures throughout the entire life cycle of medical devices.
Additionally, there has been a greater emphasis on collaboration between IT and HTM departments to ensure that both the network and the devices are secure. Training and awareness programs for staff have also become more prevalent, ensuring that everyone understands the importance of cybersecurity and their role in maintaining it. Regulatory bodies have also introduced stricter guidelines and standards, which has pushed the industry to adopt more comprehensive cybersecurity practices.
NARDINI: Over the past five years, cybersecurity in HTM has evolved with advancements like AI and machine learning for better threat detection. Furthermore, the growth of the IoMT requires enhanced security, and the shift to cloud solutions poses new security challenges. Adopting zero-trust models has strengthened access controls while evolving regulations have pushed for stricter data protection and compliance. The approach has shifted from reactive to proactive, focusing on advanced technologies and regulatory adherence to better safeguard healthcare data.
SCHOENEMAN: There is a much greater awareness and adoption of medical device cybersecurity in general over the previous years. Asset visibility is a given at this point, which is foundational to effective cybersecurity. Roles, responsibilities and maintenance have shifted beyond just healthcare technology teams and there are much stronger working relationships between healthcare technology management professionals, IT security teams, network security and beyond. This enables us to roll out more robust and advanced cybersecurity controls – mitigating risks and streamlining operational efficiencies for healthcare organizations.
SEUBERT: Cybersecurity has definitely become a much hotter topic over the last 5 years within HTM. We’ve had to work closer with OI&T to comply with their standards for cybersecurity measures, more robust processes to assess cybersecurity threats have been introduced into the HTM field from the procurement process all the way to implementing and sustainment measures of medical devices and systems. It’s something we constantly have to be thinking about these days through every phase even with decommissioning devices.
Q: HOW DO YOU PRIORITIZE CYBERSECURITY IN MEDICAL DEVICE LIFE CYCLE MANAGEMENT?
DAILEY: Prioritizing cybersecurity in medical device life cycle management demands a proactive, comprehensive approach that includes thorough security assessments at every stage of the device’s life, from procurement and deployment to decommissioning. This encompasses stringent vendor vetting, strong access controls and network segmentation, regular software updates and patching, ongoing vulnerability management and penetration testing, and extensive staff training to ensure the secure handling and reporting of any suspicious activity. A robust incident response plan is essential to mitigate the impact of any successful attack.
ELKAISSI: In a VA hospital, prioritizing cybersecurity in medical device life cycle management is critical due to the sensitive nature of veteran patient data and the need for uninterrupted healthcare services. We start by incorporating cybersecurity considerations right from the procurement stage. This means evaluating potential devices for their security features and ensuring they meet the latest cybersecurity standards and regulations. Once devices are in use, we implement strict access controls and ensure that all devices are connected to secure networks. Regular software updates and patches are crucial, so we maintain a schedule to keep all devices up to date with the latest security fixes. We also conduct periodic risk assessments and vulnerability scans to identify and address potential security gaps. Training and awareness are also key components. We ensure that all staff members are educated about cybersecurity best practices and understand the importance of maintaining device security.
NARDINI: In medical device life cycle management, cybersecurity is prioritized by integrating security measures at every stage of the device’s life cycle, from design and development to decommissioning. This integration and prioritization includes conducting thorough risk assessments during the design phase, implementing robust security protocols and regular updates during deployment, and ensuring proper data encryption and access controls. Additionally, continuous monitoring and compliance with industry standards like FDA guidelines and cybersecurity frameworks ensure devices remain secure throughout their operational life. Collaboration with IT and security teams is critical to address emerging threats and provide ongoing device protection.
SCHOENEMAN: Medical device life cycle management is a critical component of effective cybersecurity. The operation of legacy devices is common, though it’s critical to know that these devices are often more vulnerable to cyber risks. Knowing if you are running devices that are end-of-life (EOL), unsupported or on outdated operating systems is important. There are also effective steps you can take from a cybersecurity perspective, such as segmenting a device on a network if you must continue to operate it while unsupported or is more susceptible to risks. Overall, cybersecurity is a critical factor in the safe and effective operation of medical devices.
SEUBERT: In the procurement process to replace medical equipment that is end of life, we have to look through medical device assessments for cybersecurity risks. Has the device we are procuring been approved as an acceptable level of threat to use within our organization? Also, during implementation of the device, we have to comply with approved processes and make sure that the right measures are in place to reduce risk. And then, even in decommissioning devices, we have to ensure that any sensitive information on the device is properly disposed of.
Q: WHAT CYBERSECURITY BEST PRACTICES WOULD YOU RECOMMEND HTM DEPARTMENTS IMPLEMENT RIGHT NOW?
DAILEY: HTM departments should immediately prioritize these cybersecurity best practices: conduct a comprehensive inventory and risk assessment of all medical devices, focusing on vulnerabilities in outdated systems; implement network segmentation to isolate medical device networks; enforce strong access controls and authentication; establish a robust patching and updating schedule for all devices; train staff on cybersecurity awareness and incident response; and develop a comprehensive incident response plan to effectively handle security breaches. Collaboration with IT and regular security audits is also vital.
ELKAISSI: I would recommend several best practices that HTM departments should implement immediately to enhance their cybersecurity posture:
• Regular Software Updates and Patching: Ensure that all medical devices and systems are regularly updated with the latest software patches. This helps protect against known vulnerabilities that could be exploited by cyber attackers.
• Network Segmentation: Implement network segmentation to isolate medical devices from other hospital networks. This limits the potential spread of malware and reduces the risk of unauthorized access.
• Strong Access Controls: Use strong, unique passwords for all devices and systems, and implement multi-factor authentication (MFA) wherever possible. This adds an extra layer of security and makes it harder for unauthorized users to gain access.
• Continuous Monitoring: Set up continuous monitoring of network traffic and device activity to detect and respond to suspicious behavior in real-time. This helps in identifying potential threats early and mitigating them before they cause significant damage.
• Regular Risk Assessments: Conduct regular risk assessments and vulnerability scans to identify and address security weaknesses. This proactive approach helps in staying ahead of potential threats.
• Staff Training and Awareness: Provide ongoing cybersecurity training for all staff members to ensure they are aware of the latest threats and best practices. Educated staff are a critical line of defense against cyber attacks.
• Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and effective response to any cybersecurity incidents. This plan should include clear roles and responsibilities, communication protocols, and recovery procedures.
• Vendor Management: Work closely with device manufacturers and vendors to ensure they adhere to cybersecurity best practices and provide timely updates and support.
NARDINI: To prioritize cybersecurity in HTM departments, it’s important to start with regular risk assessments and adopt a Zero Trust security model. Strong data encryption is key to protecting sensitive information. We need seamless integration between HTM systems, medical devices, and IT infrastructure to ensure consistent data flow, timely security updates, and effective monitoring across the device ecosystem. Establishing clear patch management procedures, keeping devices updated, and continuously training staff on cybersecurity best practices will help reduce risks. Working closely with IT and security teams ensures a unified approach to tackling emerging threats, which strengthens our overall security posture.
SCHOENEMAN: There are three fundamental steps I would recommend to any HTM department today. First and foremost, understand what devices are on your network. Do you have an accurate, reliable system of record for your asset inventory? Are you aware of the status of these connected devices, and how they are communicating on your network? This is key. Next, take the time to understand your organization’s current risk profile. What does your security posture look like and do you have an understanding of the most prevalent exposures contributing to your risk? You may not be adequately addressing known vulnerabilities or you may be running many devices on outdated operating systems or at EOL. Know your weaknesses. Lastly, structure your efforts as a cybersecurity program by bringing together the right people, processes, and technology to proactively improve your risk posture. This should extend beyond your department by bringing in information security and other stakeholders.
SEUBERT: Some form of risk assessment is the best practice to start with. This should be done at the start – when you’re doing market research and procuring the device. This assessment can also give you general guidelines for implementation and how the device/system should be properly set up to reduce risk.
Q: HOW DO YOU STAY UPDATED ON EMERGING THREATS AND NEW CYBERSECURITY TECHNIQUES RELEVANT TO HTM?
Dailey: Staying current on medical device cybersecurity threats and techniques involves actively monitoring industry news sources, participating in professional organizations and conferences, engaging with cybersecurity vendors and researchers, and leveraging threat intelligence feeds to proactively identify and address emerging vulnerabilities. Regularly reviewing and updating security policies and procedures based on the latest best practices and threat intelligence is also essential.
ELKAISSI:
• Government and Industry Alerts: We subscribe to cybersecurity alerts and bulletins from government agencies like the Department of Veterans Affairs, the Cybersecurity and Infrastructure Security Agency (CISA), and the Food and Drug Administration (FDA). These alerts provide timely information on new threats and vulnerabilities.
• Collaboration with Peers: We engage in regular discussions and information-sharing with colleagues and peers within the VA network and other network institutions. This collaboration helps in understanding how others are addressing similar challenges and what new techniques they are implementing.
• Vendor Partnerships: We maintain close relationships with medical device manufacturers and vendors. They often provide updates on new security features, patches, and best practices for their products.
NARDINI: To stay updated on emerging threats and new cybersecurity techniques relevant to HTM, I recommend the following practices:
• Collaboration with IT and Security Teams: Working with IT and security teams ensures a unified approach to identifying and addressing new threats.
• Alignment with Regulatory Bodies: Aligning with regulatory bodies like the FDA helps ensure compliance with the latest standards and guidelines.
• Following Threat Intelligence Sources: Staying informed about the latest cybersecurity trends and threats involves keeping up with threat intelligence sources and participating in professional communities.
• Relying on Trusted Vendors and CMMS Platforms: Using vendors and CMMS platforms with strong cybersecurity strategies provides robust protection and keeps you informed about the latest security measures.
SCHOENEMAN: Staying up to date via industry associations and publications such as TechNation is helpful. Also recommend looking beyond the field of healthcare technology management. There is a lot to learn from the overall cybersecurity industry that is constantly changing and evolving for us to adapt to improve the field of healthcare technology management.
SEUBERT: The news and learning from other incidents and completing tabletop exercises with our OI&T department where we go through practice incidents and situations.
Q: WHAT ELSE WOULD YOU LIKE TO SHARE WITH THE TECHNATION COMMUNITY?
Dailey: RenovoSecure’s comprehensive medical device cybersecurity program is designed to safeguard medical devices throughout their life cycle, ensuring robust protection from development through to deployment and beyond. It starts with critical and high-risk vulnerability assessments and integrates security into the design and development phases of the device life cycle, embedding essential cybersecurity features like encryption and access controls from the outset. The program includes continuous software monitoring and threat detection, employing advanced security technologies and techniques to quickly identify and respond to potential vulnerabilities. Regular updates and patch management are also key components, ensuring that devices are protected against the latest threats.
ELKAISSI: I’d like to emphasize the importance of a proactive and collaborative approach to cybersecurity in healthcare technology management. Cyber threats are constantly evolving, and it’s crucial that we stay ahead by continuously improving our security measures and sharing knowledge within our community.
NARDINI: The HTM community is facing growing pressure to balance compliance, cybersecurity, and operational efficiency while supporting patient care. I believe it’s more important than ever to invest in tools and partnerships that enable greater visibility, collaboration with IT, and proactive risk management. Sharing experiences and solutions can help us raise the bar across the industry and deliver better patient experiences. Let’s keep the conversation going.
SCHOENEMAN: Working in the field of healthcare technology management and biomedical engineering is a critically important role for optimal patient care and the future of healthcare. Thank you all who are a part of this community for everything you do and if there is anything I can do to help you advance the field with technology, don’t hesitate to reach out.
SEUBERT: Cybersecurity certainly isn’t going away in the HTM field as technology continues to advance, its only becoming a more prevalent part of our jobs, so I think it’s important that we continue to prioritize it, address it, and learn more about it.
