How to Manage Medical Device Cybersecurity Risks

The intersection of healthcare and cybersecurity presents unique challenges, particularly when it comes to safeguarding medical devices that are critical to patient care. Medical devices, ranging from simple telemetry monitors to complex diagnostic imaging systems like MRIs and PET scanners, are marvels of modern technology. However, their reliability and precision, originally designed for clinical functionality, often conflict with the dynamic and ever-evolving demands of cybersecurity.

This article dissects key insights from a recent conversation with Phil Angler, VP of Medical Device Security at Health ISAC, offering actionable strategies to address medical device cybersecurity risks while maintaining patient safety and operational continuity.

The Legacy Technology Problem in Healthcare

One of the most pressing issues in healthcare cybersecurity is the prevalence of legacy medical devices. These devices, often built with components designed for an IT lifecycle of 5–7 years, are expected to remain operational for up to 20 years or more in clinical environments. This mismatch between component and product lifecycles creates vulnerabilities that can be exploited by cyber attackers.

Why Legacy Technology Persists

1. Extended Product Lifecycles: Medical devices are expected to deliver consistent clinical performance for decades, often outlasting the lifecycle of the technology they are built on.
2. Regulatory and Resource Constraints: Replacing or upgrading legacy devices is resource-intensive and often complicated by regulatory requirements.
3. Connectivity Challenges: Many devices initially designed as standalone systems are now networked for better monitoring and data management, inadvertently creating new attack surfaces.

Strategies to Manage Legacy Risks

To mitigate risks associated with legacy devices, healthcare delivery organizations (HDOs) should focus on:

• Threat Understanding: Assess and prioritize vulnerabilities based on their potential impact on patient safety and data security.
• Compensating Controls: Use segmentation, monitoring, and isolation to reduce exposure.
• Proactive Planning: Develop response plans tailored specifically for legacy medical devices to minimize downtime during incidents.

sbb-itb-535baee

FDA's Role in Cybersecurity: A Turning Point

The FDA’s increasing involvement in medical device cybersecurity has been pivotal. Historically, there was ambiguity about whether cybersecurity fell under the FDA’s authority, but the statutory authority granted under Section 524B affirmed that cybersecurity is a quality issue directly tied to patient safety.

Key Developments in FDA Guidance

The FDA’s updated pre-market cybersecurity guidance emphasizes secure development practices and lifecycle management. Known as the "Secure 8" principles, these include:

• Authentication: Ensuring devices can verify user identities.
• Authorization: Limiting access based on user roles.
• Encryption: Protecting data in transit and at rest.
• Integrity: Safeguarding both data and code to ensure proper functionality.
• Update and Patchability: Designing devices that can be maintained securely over their expected lifespan.

This guidance has encouraged manufacturers to adopt cybersecurity as a standard practice, fostering collaboration between developers and HDOs.

Bridging the Gap Between Manufacturers and HDOs

One of the recurring themes in medical device security is the tension between manufacturers and HDOs. Manufacturers aim to protect device functionality, while HDOs prioritize patient safety and operational efficiency.

Aligning Priorities

• For Manufacturers: Embrace uniform cybersecurity requirements across product lines and invest in training for product developers.
• For HDOs: Incorporate cybersecurity into procurement processes and demand transparency on security features and upgrade paths.

Improving Vulnerability Management

The current model for addressing vulnerabilities is often reactive, with long windows of exposure while awaiting updates. To address this:

• Separate Security Updates from Feature Upgrades: Allow security patches to be deployed independently of functionality changes to reduce delays.
• Streamline Processes: Standardize vulnerability management procedures to make updates routine, much like regular maintenance in other industries.

Interoperability and its Unique Challenges

The push for connectivity in healthcare has introduced new challenges. Devices that were once isolated are now integrated into networks, creating vulnerabilities. Interoperability, while valuable for improving care efficiency, greatly expands the attack surface.

Managing Interoperability Risks

• Risk Isolation: Segment networks and isolate high-risk devices to reduce exposure.
• Operational Testing: Ensure that updates and new features do not disrupt clinical workflows or device functionality.

Practical Steps for HDOs

HDOs must take proactive measures to address cybersecurity risks. Here are some practical strategies:

1. Start Small: Begin network segmentation with low-priority endpoints, such as connected refrigerators or vending machines, before moving to critical devices.
2. Invest in Staff Training: Educate teams on recognizing and responding to anomalies in network traffic.
3. Develop Clear Response Protocols: Empower staff to act decisively, such as halting device usage when a threat is detected.

Looking Ahead: Key Initiatives from Health ISAC

Health ISAC is spearheading several initiatives to enhance medical device security, including:

• Metrics for Secure Development: Developing metrics to measure cybersecurity quality at both executive and operational levels.
• Security Baselines for Devices: Standardizing baseline controls for medical devices to streamline procurement and improve security postures.
• Long-Term Vision for Zero Trust: Outlining a phased approach to implement robust security frameworks based on NIST 853 controls.

These efforts aim to reduce procurement cycles, foster better collaboration between manufacturers and HDOs, and create more resilient healthcare environments.

Key Takeaways

• Legacy Devices Are Here to Stay: Accepting and managing legacy technology is a necessity rather than a choice. Focus on understanding threats and implementing compensating controls.
• FDA Cybersecurity Guidance is Transformative: Secure development and lifecycle management are critical for the future of medical device security.
• Collaboration is Key: Bridging the gap between manufacturers and HDOs can lead to better-aligned priorities and more secure devices.
• Interoperability Requires Careful Oversight: Connectivity brings benefits but also increases risks; proper network segmentation and testing are essential.
• Proactive Planning Matters: Develop tailored response plans for medical devices to ensure minimal disruption during incidents.
• Health ISAC’s Initiatives Are Promising: Standardized security baselines and metrics will help streamline processes and improve device security over time.

Conclusion

The intersection of healthcare and cybersecurity requires a delicate balance between preserving clinical functionality and mitigating risks. By adopting forward-thinking strategies, leveraging regulatory guidance, and fostering collaboration, the healthcare industry can ensure that patient safety and data integrity remain paramount in an increasingly connected world. As the landscape continues to evolve, organizations must stay adaptable, informed, and proactive to navigate these complex challenges effectively.

Source: "Phil Englert on Medical Device Cybersecurity" - Claroty, YouTube, Apr 5, 2026 - https://www.youtube.com/watch?v=S4ZIKsX5770

Related Blog Posts

• 7 Critical Medical Device Security Risks in Healthcare
• NIST SP 800-213 for Medical Devices: What to Know
• 5 Challenges in Healthcare Cyber Risk Management
• Study: 162 New Medical Device Vulnerabilities Found