HEALTHCARE SECURITY FORUM: A HIMSS EVENT
San Francisco, CA - June 11 - 12, 2018
By Tom Sullivan
Medical device security is an utter mess.
Consider this: The machines themselves often have 10, 15 or even 20-year lifespans and replacing those legacy devices with more secure ones en masse is simply not a realistic option.
Take the Mayo Clinic, for instance. The organization has what Clinical Information Security Director Kevin McDonald described as a boatload of medical devices anchored down by legacy products.
“Until all of our devices turnover, until manufacturers start churning out devices with security built-in, I have to deal with them,” said Kevin McDonald, Director of Clinical Information Security at the Mayo Clinic. “Security should not be the sole responsibility of healthcare providers.”
Yet accountability for testing and securing medical devices is terribly difficult to come by. Nearly one-third of hospitals and the same percentage of device manufacturers, in fact, said no one person or job function is primarily responsible for device security, according to new research conducted by the Ponemon Institute.
So just how bad could device security threats actually become in the meantime? And what are forward-looking hospitals doing to prepare?