RSA Conference: Experts Say Medical Device Security Trending in Right Direction

June 07, 2022 - At the RSA Conference, currently being held in San Francisco and virtually, panelists gathered for a session to discuss medical device security challenges.

Audience members posed questions about the current threat landscape and experts addressed common security concerns.

Panelists Discuss Current State of Medical Device Security

The consensus among panelists was relatively positive—all three agreed that medical device security is trending in the right direction. But as previously discussed on HealthITSecurity, the lack of standards and shared responsibility in the space may be stifling well-meaning efforts to improve medical device security on a large scale.

“We have to find a way to connect together and work on something collaboratively so we can identify more practical solutions rather than talking conceptually,” Ankit Patel, panelist and business information security officer (BISO) at Humana, said during the panel.  

“We all know the issues that are out there, but we need to find a way to move toward a solution.”

Experts have repeatedly identified three main issues that make medical device security a challenge: legacy devices and systems, a lack of visibility, and the ever-changing threat landscape. The panelists also noted the rise in medical device vulnerability disclosures.

MRI machines, ultrasound machines, and the like, can incur steep costs for healthcare organizations, Patel noted. Smaller organizations cannot afford to replace medical devices every five years, and many devices can function effectively for nearly 20 years.

But legacy devices pose security risks, and every device on an organization’s network can represent an entry point, Errol Weiss, panelist and CSO of Health-ISAC, explained to the audience.

“When it comes to legacy devices, that’s where we still have some fixing to do,” Patel said.

The panelists agreed that while significant progress has been made, there are still notable paint points that are preventing medical device security efforts from fully taking hold. The experts encouraged security professionals to prioritize visibility into every connected device on their organization's network.

“If you’re citing in the CISO chair, you need to know the risk across your entire organization. The first step is visibility,” Weiss stated.

“You need to start shining the flashlight into the dark corners of these environments.”

The Industry is Moving Forward, But There Is still work to do

“I think the industry has made significant strides in the last 10 to 20 years,” Marty Edwards, VP of OT security at Tenable, mentioned during the session.

“We have started to see more security features built into the devices, and the culture in the manufacturing industry is getting better.”

Communication between medical device manufacturers, providers, and other key stakeholders must be central to medical device security initiatives. Recent efforts by industry groups and government agencies suggested that shared responsibility has become a priority.

The Healthcare & Public Health Sector Coordinating Councils (HSCC) recently published model contract language to help healthcare organizations ensure medical device security when crafting contracts with device manufacturers.

In late 2021, the FDA released best practices for communicating cybersecurity vulnerabilities to patients and caregivers. The document provided actionable tips for stakeholders to communicate connected medical device risks adequately and efficiently.

In addition, MITRE and the Medical Device Innovation Consortium (MDIC) partnered to release a playbook for medical device threat monitoring. MDCI and HSCC also recently teamed up to create a survey for medical device manufacturers with the goal of establishing medical device security benchmarks.

Of course, there is no single solution to an issue as nuanced as medical device security. But the panelists agreed that to make even more progress, the industry must tackle problems associated with legacy devices and prioritize visibility into what devices are on an organization’s network. Ideally, new medical devices will be designed with security in mind from the start.