In a panel hosted by BD, three healthcare security professionals discussed the goals and trends of cybersecurity in the field. Eric Decker, Assistant Vice President and Chief Information Security Officer (CISO) at Intermountain Health, William Landry, Vice President, Technology Innovation at the Franciscan Missionaries of Our Lady Health System, Inhel Rekik, Senior Director of Information Security Engineering at BD and Moderator Scott Shindledecker sat down to talk about malware, cyber defense and how to best mitigate the cyber risk involved with medical devices.

Assessing the healthcare cyber landscape

Over the past couple of years, the monetization of ransomware has motivated cyberattacks on critical infrastructure. Whereas data recovery might mitigate the ransomware risk in other industries, in the healthcare sector, the safety net of an encrypted data locker doesn't always solve the problem. When hackers target a medical device, health systems pay the ransom to save a human life, according to Decker.

Another trend in malware is cybercriminals targeting security companies and adding malware to the code of third-party security programs. "There's an economy of the attackers breaking into an environment and selling access," said Landry. According to him, organizations must determine the conduits and amount of access that third parties have to company assets. Assessing and controlling this access is an important consideration for business owners working with third parties.

How to best protect medical devices

Segmenting and isolating legacy devices is an important step in protecting medical devices from cyberattacks, but Decker acknowledged that legacy devices necessitate a top-to-bottom security approach in order to remain truly secure. Eventually, each device will become legacy, and health systems need to create a bridge program determining how to manage these devices before they can be replaced. Looking at contracting, device implementation and monitoring can help secure medical devices throughout their lifecycle in the health system, according to Decker. The monitoring phase is critical: measuring metrics around the lifecycle of medical devices can help the system learn from their own security practices and evolve.

Cybersecurity factors into medical device purchasing decisions from the very beginning — Landry conducts a cybersecurity review of every potential product or vendor before passing them on to other departments. The Franciscan Missionaries of Our Lady Health System uses a compliance committee in the C-suite to monitor the risk of medical devices and attain the device updates necessary to remain secure.

"It's really about being a business enabler," said Rekik. A strategy to obtain buy-in from legal and other departments in an organization can involve partnering with an internal audit, which can bake security into the procuring process when interfacing with executive leadership. Rekik recommends aiming to create an environment where cybersecurity is not an afterthought and working with as many departments as possible to prioritize security goals.

Standing up for cybersecurity

When advocating for cybersecurity in medical device manufacturing and procurement, explaining the risk of medical device exploitation in simple terms can help get other departments on board, according to Rekik.

The Franciscan Missionaries of Our Lady Health System has changed reporting systems to make sure that all medical device safety flows through the security team. The health system also created a Critical Infrastructure team housed in the IT department, which dedicates their time specifically to medical device security.

Decker noted that in the past, medical device threats used to focus on resolving individual harm done through hacked medical technology. Now, cybersecurity professionals need to foreground risk mitigation and prevention in their security solutions. Patching a faulty device can lead to more problems when it comes to weak medical devices, but preparing for the worst in advance can stop attacks from ever happening.

Upcoming trends in healthcare cybersecurity

Top trends highlighted by the cybersecurity experts included:

  • Defending healthcare supply chains
  • Identifying and hiring new cybersecurity talent to protect medical devices
  • Cracking down on ransomware globally
  • Monitoring new healthcare technology like artificial intelligence
  • Increasing vulnerability disclosure from manufacturers