Securing Connected Hospitals: Key Insights from the Cybersecurity Summit

The proliferation of connected medical devices in healthcare has created a complex cybersecurity challenge that hospital staff grapple with daily. At this year’s Cyber Security Summit’s MedTech Seminar, sponsored by Asimily, a panel of healthcare and medical device cybersecurity experts gathered to discuss the critical challenges and strategies for securing connected medical devices. The podcast, moderated by Charlie Mohn from Asimily, featured insights from Sam Stevens (Information Security Director at Essentia Health), Yan Krovchenko (Director of Core Technology and Information Security at Hennepin Healthcare), and Dan Lyon (Director of Product Cybersecurity at Boston Scientific). Their insights were plentiful, but the key takeaways have been distilled in this blog post for readers to explore.

Prioritizing Risks is a Must Amidst a Sea of Vulnerabilities

Identifying and addressing vulnerabilities across thousands of medical devices is a daunting task. The panelists emphasized the importance of moving beyond a simplistic CVSS-based prioritization approach. Instead, they described frameworks that categorize devices based on data sensitivity and potential patient impact. This allows security teams to focus remediation efforts on the vulnerabilities that pose the greatest risk.

Even “critical” vulnerabilities don’t always translate to real-world threats, given the unique hospital environment and device usage patterns. Fostering open, cross-functional discussions to assess the true risk is key to making informed decisions about which issues to tackle first.

Navigating the Complexities of Third-Party Risks

Healthcare organizations are highly dependent on a web of third-party vendors, from device manufacturers to service providers. This opens the organization up to risk, as the panelists shared. To combat this, the panelists shared strategies such as implementing a more structured vendor risk assessment process and leveraging tools to centralize and streamline the collection of security information. 

Questionnaires and paper-based assessments often fail to paint an accurate picture as they leave a lot of room open to interpretation. The need to balance security with operational realities, such as allowing vendors rapid access during emergencies, adds a layer of complexity. By leveraging technology to help determine the safest vendors and manufacturers, healthcare organizations can save time and ultimately reduce risk.

Balancing Patient Care with Medical Device Security 

Device manufacturers and healthcare providers often need to find a balance in achieving the best outcomes for patients while maintaining security best practices. Ensuring the safety and efficacy of therapies delivered by connected devices requires extensive testing before any changes can be made – a process that is fundamentally at odds with the speed of the cybersecurity landscape.

This creates a difficult trade-off for healthcare providers, who may have to choose between leaving known vulnerabilities unpatched or risking disruptions to critical medical equipment. Collaboration between manufacturers and providers to find innovative solutions is clearly needed.

Overcoming the Device Visibility Gap

Healthcare providers cannot secure what they don’t know; a common theme that emerged was the struggle to gain comprehensive visibility into all the connected devices across large healthcare networks. Even basic asset management – knowing what devices are present and where they are located – remains a significant challenge.

Passive monitoring tools can help, but the panelists emphasized that the data must be translated into actionable intelligence that can drive remediation efforts. Integrating this information with other security tools and processes is key to transforming visibility into effective vulnerability management.

Maintaining a Collaborative, Solutions-Oriented Mindset

Underlying all of these challenges is the sheer scale and complexity of the problem. The panelists stressed the importance of cybersecurity professionals in healthcare maintaining a positive, solutions-focused mindset. Collaboration, both internally and across the industry, is essential to making progress.

By fostering open dialogues, leveraging collective knowledge, and continuously exploring new approaches, healthcare organizations can navigate the treacherous waters of medical device cybersecurity. It’s a daunting task, but one that is critical to protecting patient safety and the integrity of our healthcare systems.

Watch the full panel session on Vimeo.