Himsscast: Steps Hospitals Can Take To Protect Medical Device Cyberattcks

Fifty-three percent of medical devices have vulnerabilities known to cybercriminals, says Mark Bowling of ExtraHop.

Mark Bowling, chief risk, security, and information security officer at ExtraHop, has years of cybersecurity experience as a former FBI field executive, a nuclear engineering officer with the Navy and in various CISO roles. He knows the ins and outs of incident response, how the bad guys think and the vulnerabilities left open by hospitals.

Medical devices are susceptible to cyberattacks, but what’s vulnerable is not the device itself, but the native operating system on which the device is built, Bowling said. One scary statistic is that 53% of medical devices have known vulnerabilities that are published and easily available to cybercriminals.

In this conversation with Healthcare Finance News’ Executive Editor Susan Morse, Bowling talks about how health systems and hospitals can protect themselves and their patients.

Talking points:

  • Hospitals need to put compensating controls around medical devices to isolate them from the rest of the system.
  • Segment the networks through firewalls to isolate devices.
  • Six types of medical devices are especially vulnerable: infusion and insulin pumps; smart pens, implantable cardiac devices, wireless monitors, thermometers and temperature sensors, and security cameras.
  • Insulin pumps and pacemakers are among the most vulnerable devices.  
  • The majority of digital medical devices, 53%, in the United States, including internet-connected tools in hospitals are susceptible to cyberattacks. 
  • Endpoint protection is not always feasible for out-of-date operating systems.
  • Know what assets are in the environment and identity how they’re being managed.
  • The FDA has introduced new regulations requiring medical device manufacturers to include details of cybersecurity protections.

More about this episode:

Medical devices are inherently vulnerable to security breaches

Clinicians need the right messaging to pay attention to cybersecurity

Tips on medical device security from the product leaders’ perspective

CISA warns of Medtronic cardiac device security vulnerability

Navigating the new medical device security law

Leave a Reply

Your email address will not be published. Required fields are marked *