How do we protect medical devices? This question was discussed during a cybersecurity preconference session on March 11 at HIMSS24 in Orlando. The session titled “Securing the Modern Connected Hospital: loT, IoMT, and OT” was moderated by Benoit Desjardins, M.D., Ph.D., professor of radiology and medicine at the University of Pennsylvania.
“Every device has a management cycle,” said James Angle, product manager of information security at Trinity Health. Angle underscored the importance of applying security patches and being able to take the device out of service during a set maintenance period. He acknowledged that obtaining security patches from the manufacturer can take a while. He said it’s essential to understand vulnerabilities and mitigate them. Additionally, he advised that the device should be tested before being put into operation.
“If an attacker wants to get on your network, they will,” remarked Kevin Johnson, CEO of Secure Ideas LLC and a self-proclaimed hacker of medical devices. He advised focusing on protection when attackers get in. “Slow down,” he said, “so you have time to react.” John advised focusing on the IT aspect, looking at the device configurations and what they connect to. “Simple firewalling,” he commented, “can prevent most device attacks if set up correctly.” Vendors assume that hospitals will make changes, he noted.
Angle and Johnson mentioned that no enforcement mechanisms are in place and that it’s the health sector’s responsibility to ensure device security. John remarked that the regulations in the Biden administration's bill provide a false sense of security. He believes that vendors need to be held more accountable. “How do you prove a device is secure?” Johnson asked. “Regulation isn’t a resolution,” he said.
Audience member Dr. Christian Dameff, M.D., M.S., disagreed with the point that vendors aren’t currently held accountable. He remarked that the Food and Drug Administration (FDA) refuses to approve devices based on cybersecurity. Even though the FDA says it provides guidelines, he argued that they are more than just guidelines.
