News & Insights

Global Virtual Healthcare & IoMT Webinar - Recap

Kelly-Ann Downer

Global Virtual Healthcare & IoMT Webinar - Recap

On Wednesday, July 20, 2022 twenty-five+ leaders from prominent Healthcare Organizations, Medical Devices, and Pharma from around the world gathered virtually to speak about cybersecurity in healthcare. The key topics for discussion involved the relationship between medical manufacturers and medical facilities, incident response plans for medical devices, and the governments response to the rising cybersecurity issues in healthcare. The details shared were very insightful and gave helpful information that medical device manufacturers and cybersecurity professionals who are commissioned to protect medical devices should consider when implementing standard operating procedures.

The first discussion was the “Executive Roundtable – Top Cyber Security Challenges.” Among the issues listed was the relationship between medical manufacturers and medical facilities which was described as “dysfunctional” by Christopher Gates, Director of Product Security – Velentium – United States. Many manufacturers he describes ignore their customers and focus too much on creating and profiting from the device. When manufacturers are so focused on getting the product to work the security of devices is often overlooked, causing problems in the future. What needs to be done, as he suggests, are more conversations so that everyone can contribute to making the device more useful and safer for medical facilities. The most important takeaway from this discussion led to the suggestion for Health Delivery Organizations (HDO) and Medical Device Manufactures (MDM) to look at the Model Contract language for MedTech Cybersecurity. The purpose of this document is to begin the conversation regarding the “security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections.” Christopher Gates, who was one of the developers of the Contract, hopes that this could be used to help mend the relationship between the HDO and MDM personnel and start the conversation to minimize security risks in medical technologies.

The next Executive Roundtable was on Cyber Risk Management and Incident Response for Medical Devices. Incident response in the medical field is very technical, plugging out a wireless blood pressure monitor versus plugging out a respirator due to compromise has a significant risk as expressed by Christopher Frene – CISO Mount Sinai South Nassau – United States. The respirator can cause more harm if plugged out as it can put someone’s life at risk. Going about incident response is technical in the medical field especially when most devices are interconnected. Within some medical facilities, the compromise and update of one device is not as simple as it can negatively affect another device. One panelist expressed this same issue when he was called in to update one computer in a medical facility. Unfortunately, he was unable to do so due to the risk of the other computers that would have been affected. That’s where the Cloud Security Alliance Medical Device Incident Response Playbook comes in. Mr. Frene highly recommended this book when it came to these issues. The playbook divides the medical devices into tiers of risk and provides guidance to clinical leadership on how to address different incidences to ensure patient care.

Lastly, the Executive Roundtable – Top Cyber Security Challenges for Healthcare Organizations also lead to the discussion of how the US Government is responding. Two panelists expressed that the Government is getting a grip on the situation, saying that the “FDA is going to have more TEETH after verification and validation of medical devices.” The government’s role is to protect, and the FDA is expected to have more recommendations for best practices, especially for high-risk devices and legacy devices. The panelist encouraged cyber experts working in the medical field to use these recommendations such as NIST 800-53 and UL 2900. On the other hand, another panelist suggested that not enough is being done. They made the point that many companies check the box that they are “secure,” following only the HIPPA compliance so that they don’t get flagged. They follow the bare minimum to get past the checks so that there are no financial implications. The security of the facility is not checked and there are no implications, just strong recommendations.

All in all, this webinar highlighted several key insightful topics of discussion while also offering helpful information for cyber experts in the medical field. In addition to the Executive Roundtables, there were presentations from cyber medical companies showing how their products are used to help with security. Cybersecurity in the medical field is truly important, especially when lives are at stake. Security becomes easier when the relationships between the HDO and MDM are better, incident response is planned, and the government becomes more accountable.