• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Talking about Cybersecurity Vulnerabilities in Medical Devices Shouldn’t be Taboo

by Nastassia Tamari, Director of Information Security Operations for BD 05/17/2021 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Talking about Cybersecurity Vulnerabilities in Medical Devices Shouldn’t be Taboo
Nastassia Tamari, Director of Information Security Operations for BD

According to the National Vulnerability Database, 18,353 vulnerabilities were reported in 2020. That’s nearly three times the volume of vulnerabilities reported five years ago, and higher than any year in the previous two decades. Given the rise in connected devices, this increase is not entirely unexpected. If that’s the case, shouldn’t we be seeing more vulnerability disclosures related to medical devices? 

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) publishes advisories for vulnerabilities in industrial control systems. Each advisory is given an identification number, which begins with the letters ICSA or—for vulnerabilities related to medical equipment—ICSMA. This helps the healthcare industry readily identify CISA advisories that apply to medical devices, and it also sheds light on how few medical device manufacturers have issued coordinated vulnerability disclosures with CISA in the last year. Although there are thousands of medical device manufacturers in the U.S., only eleven companies reported ICSMA vulnerabilities to the agency in 2020, according to the agency’s ICS-CERT Advisories list.

As medical device manufacturers, we have an essential role in protecting the infrastructure of healthcare around the world. To ensure our products are used safely and securely, we need to be proactive in sharing information about the latest emerging threats, new vulnerabilities in our technologies, and what our stakeholders can do to protect themselves. It’s time to make 2021 the year we move healthcare, as an industry, toward cybersecurity maturity. We can begin by embracing the following truths:

Defensive strategies are not enough. 

Healthcare is the number one target for cybercriminals. We design medical devices to be secure, and we implement reasonable administrative, technical and physical safeguards to protect against cybersecurity incidents and privacy breaches. However, defensive tactics are not enough when cybercriminals are working around the clock, 365 days a year to exploit vulnerable systems. With systems and threats continuously evolving, no system can be 100% protected against any and all vulnerabilities. That’s why we augment defensive strategies with resiliency measures. 

Resiliency is about answering the question, “How quickly can you recover from an attack?”—which is every bit as important as combining defensive and offensive strategies. A strong defensive posture can help prevent cyberattacks. Resiliency measures—like enabling full system backups—presume that you will be attacked and seek to limit the impact. This requires ongoing, two-way communication between healthcare providers and medical device manufacturers, because each has an important role to play in keeping medical device technology operational and secure. 

Talking about cybersecurity vulnerabilities shouldn’t be taboo. 

Healthcare providers can’t protect against vulnerabilities they don’t know about. That’s why we need to take the stigma out of talking about vulnerabilities. A recent example is Ryuk (R-EE – Y OO K) ransomware, which hit dozens of U.S. hospitals in late 2020. While phishing attacks were the most common point of entry, cybercriminals also used third-party software vulnerabilities to deny access to a device or its data. Even when hospitals have workarounds—such as restoring systems from backup and using paper records—the interruption can severely impact patient care. As medical device manufacturers, we all need to be transparent about vulnerabilities that impact our products or third-party components used in our products. This enables customers to apply patches in a timely manner and also allows them to apply compensating controls and mitigations to reduce risk.

It’s about doing the right thing for customers and patients.

Vulnerability disclosure is essential, not only because it demonstrates compliance with the U.S. Food and Drug Administration (FDA) Postmarket Management of Cybersecurity in Medical Devices guidance and industry best practices noted in the Healthcare and Public Health Sector Medical Device and Health IT Joint Security Plan, but also it enables customers to keep their systems secure and up to date. In cases where a patch is being evaluated, it gives the customer insight about compensating controls and mitigations that can reduce risk. It’s about going beyond compliance and doing what is right for customers and their patients—and ultimately protecting what society values most. To get there, medical device manufacturers need to educate customers about coordinated vulnerability disclosure processes. 

In healthcare, there is a patient at the end of everything we do. That’s why the stakes are so high. It’s time to recognize that defensive strategies are not enough, and that talking openly about vulnerabilities in our technologies allows customers to strengthen their cybersecurity defenses and their resiliency. Embracing these truths and enabling ongoing, transparent communication between medical device manufacturers and healthcare providers serves patients’ best interests and demonstrates the industry’s commitment to cybersecurity maturity.


Nastassia Tamari is the Director of Information Security Operations for BD, a global medical technology company that is advancing the world of health by improving medical discovery, diagnostics, and the delivery of care. Nastassia is responsible for leading information security operations at BD, including incident response, vulnerability management, threat response, insider threat, and monitoring and detection teams across enterprise, product, and manufacturing systems for BD’s global environment.


  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cybercriminals, Cybersecurity, FDA, Health IT, HIT, Medical Device, Medical Devices, medical technology, Patient Care, Phishing, Public Health, risk

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Kinetik CEO Sufian Chowdhury on Fighting NEMT Fraud & Waste

Most-Read

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

'Cranky Index' Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

‘Cranky Index’ Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

5 Ways New Trump Administration Tariffs Are Impacting U.S. Healthcare Now

5 Ways Trump Administration Tariffs Are Impacting U.S. Healthcare Now

iCAD, GE HealthCare Integrate to Advance Breast Cancer Detection with AI

RadNet to Acquire iCAD for $103M in All-Stock Transaction

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |