• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Talking about Cybersecurity Vulnerabilities in Medical Devices Shouldn’t be Taboo

by Nastassia Tamari, Director of Information Security Operations for BD 05/17/2021 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Talking about Cybersecurity Vulnerabilities in Medical Devices Shouldn’t be Taboo
Nastassia Tamari, Director of Information Security Operations for BD

According to the National Vulnerability Database, 18,353 vulnerabilities were reported in 2020. That’s nearly three times the volume of vulnerabilities reported five years ago, and higher than any year in the previous two decades. Given the rise in connected devices, this increase is not entirely unexpected. If that’s the case, shouldn’t we be seeing more vulnerability disclosures related to medical devices? 

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) publishes advisories for vulnerabilities in industrial control systems. Each advisory is given an identification number, which begins with the letters ICSA or—for vulnerabilities related to medical equipment—ICSMA. This helps the healthcare industry readily identify CISA advisories that apply to medical devices, and it also sheds light on how few medical device manufacturers have issued coordinated vulnerability disclosures with CISA in the last year. Although there are thousands of medical device manufacturers in the U.S., only eleven companies reported ICSMA vulnerabilities to the agency in 2020, according to the agency’s ICS-CERT Advisories list.

As medical device manufacturers, we have an essential role in protecting the infrastructure of healthcare around the world. To ensure our products are used safely and securely, we need to be proactive in sharing information about the latest emerging threats, new vulnerabilities in our technologies, and what our stakeholders can do to protect themselves. It’s time to make 2021 the year we move healthcare, as an industry, toward cybersecurity maturity. We can begin by embracing the following truths:

Defensive strategies are not enough. 

Healthcare is the number one target for cybercriminals. We design medical devices to be secure, and we implement reasonable administrative, technical and physical safeguards to protect against cybersecurity incidents and privacy breaches. However, defensive tactics are not enough when cybercriminals are working around the clock, 365 days a year to exploit vulnerable systems. With systems and threats continuously evolving, no system can be 100% protected against any and all vulnerabilities. That’s why we augment defensive strategies with resiliency measures. 

Resiliency is about answering the question, “How quickly can you recover from an attack?”—which is every bit as important as combining defensive and offensive strategies. A strong defensive posture can help prevent cyberattacks. Resiliency measures—like enabling full system backups—presume that you will be attacked and seek to limit the impact. This requires ongoing, two-way communication between healthcare providers and medical device manufacturers, because each has an important role to play in keeping medical device technology operational and secure. 

Talking about cybersecurity vulnerabilities shouldn’t be taboo. 

Healthcare providers can’t protect against vulnerabilities they don’t know about. That’s why we need to take the stigma out of talking about vulnerabilities. A recent example is Ryuk (R-EE – Y OO K) ransomware, which hit dozens of U.S. hospitals in late 2020. While phishing attacks were the most common point of entry, cybercriminals also used third-party software vulnerabilities to deny access to a device or its data. Even when hospitals have workarounds—such as restoring systems from backup and using paper records—the interruption can severely impact patient care. As medical device manufacturers, we all need to be transparent about vulnerabilities that impact our products or third-party components used in our products. This enables customers to apply patches in a timely manner and also allows them to apply compensating controls and mitigations to reduce risk.

It’s about doing the right thing for customers and patients.

Vulnerability disclosure is essential, not only because it demonstrates compliance with the U.S. Food and Drug Administration (FDA) Postmarket Management of Cybersecurity in Medical Devices guidance and industry best practices noted in the Healthcare and Public Health Sector Medical Device and Health IT Joint Security Plan, but also it enables customers to keep their systems secure and up to date. In cases where a patch is being evaluated, it gives the customer insight about compensating controls and mitigations that can reduce risk. It’s about going beyond compliance and doing what is right for customers and their patients—and ultimately protecting what society values most. To get there, medical device manufacturers need to educate customers about coordinated vulnerability disclosure processes. 

In healthcare, there is a patient at the end of everything we do. That’s why the stakes are so high. It’s time to recognize that defensive strategies are not enough, and that talking openly about vulnerabilities in our technologies allows customers to strengthen their cybersecurity defenses and their resiliency. Embracing these truths and enabling ongoing, transparent communication between medical device manufacturers and healthcare providers serves patients’ best interests and demonstrates the industry’s commitment to cybersecurity maturity.


Nastassia Tamari is the Director of Information Security Operations for BD, a global medical technology company that is advancing the world of health by improving medical discovery, diagnostics, and the delivery of care. Nastassia is responsible for leading information security operations at BD, including incident response, vulnerability management, threat response, insider threat, and monitoring and detection teams across enterprise, product, and manufacturing systems for BD’s global environment.


  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cybercriminals, Cybersecurity, FDA, Health IT, HIT, Medical Device, Medical Devices, medical technology, Patient Care, Phishing, Public Health, risk

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Paradigm Shift in Diabetes Care with Studio Clinics: Q&A with Reach7 Founder Chun Yong

Most-Read

Medtronic to Separate Diabetes Business into New Standalone Company

Medtronic to Separate Diabetes Business into New Standalone Company

White House, IBM Partner to Fight COVID-19 Using Supercomputers

HHS Sets Pricing Targets for Trump’s EO on Most-Favored-Nation Drug Pricing

23andMe to Mine Genetic Data for Drug Discovery

Regeneron to Acquire Key 23andMe Assets for $256M, Pledges Continuity of Consumer Genome Services

CureIS Healthcare Sues Epic: Alleges Anti-Competitive Practices & Trade Secret Theft

The Evolving Role of Physician Advisors: Bridging the Gap Between Clinicians and Administrators

The Evolving Physician Advisor: From UM to Value-Based Care & AI

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |