At HIMSS24: Risk to Medical Devices Is a Risk to Patients

March 19, 2024
At this year’s annual HIMSS conference, self-proclaimed professional hackers discuss securing the modern connected hospital.

How do we protect medical devices? This question was discussed during a cybersecurity preconference session on March 11 at HIMSS24 in Orlando. The session titled “Securing the Modern Connected Hospital: loT, IoMT, and OT” was moderated by Benoit Desjardins, M.D., Ph.D., professor of radiology and medicine at the University of Pennsylvania.

“Every device has a management cycle,” said James Angle, product manager of information security at Trinity Health. Angle underscored the importance of applying security patches and being able to take the device out of service during a set maintenance period. He acknowledged that obtaining security patches from the manufacturer can take a while. He said it’s essential to understand vulnerabilities and mitigate them. Additionally, he advised that the device should be tested before being put into operation.

“If an attacker wants to get on your network, they will,” remarked Kevin Johnson, CEO of Secure Ideas LLC and a self-proclaimed hacker of medical devices. He advised focusing on protection when attackers get in. “Slow down,” he said, “so you have time to react.” John advised focusing on the IT aspect, looking at the device configurations and what they connect to. “Simple firewalling,” he commented, “can prevent most device attacks if set up correctly.” Vendors assume that hospitals will make changes, he noted.

Angle and Johnson mentioned that no enforcement mechanisms are in place and that it’s the health sector’s responsibility to ensure device security. John remarked that the regulations in the Biden administration's bill provide a false sense of security. He believes that vendors need to be held more accountable. “How do you prove a device is secure?” Johnson asked. “Regulation isn’t a resolution,” he said.

Audience member Dr. Christian Dameff, M.D., M.S., disagreed with the point that vendors aren’t currently held accountable. He remarked that the Food and Drug Administration (FDA) refuses to approve devices based on cybersecurity. Even though the FDA says it provides guidelines, he argued that they are more than just guidelines.

Sponsored Recommendations

Care Access Made Easy: A Guide to Digital Self-Service for MEDITECH Hospitals

Today’s consumers expect access to digital self-service capabilities at multiple points during their journey to accessing care. While oftentimes organizations view digital transformatio...

Going Beyond the Smart Room: Empowering Nursing & Clinical Staff with Ambient Technology, Observation, and Documentation

Discover how ambient AI technology is revolutionizing nursing workflows and empowering clinical staff at scale. Learn about how Orlando Health implemented innovative strategies...

Enabling efficiencies in patient care and healthcare operations

Labor shortages. Burnout. Gaps in access to care. The healthcare industry has rising patient, caregiver and stakeholder expectations around customer experiences, increasing the...

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

Join us for this April 30th webinar to learn about 2024's State of the Market Report: New Challenges in Health Data Management.