Topics
More on Medical Devices

Medical devices are inherently vulnerable to security breaches

Best practices include adopting a zero-trust approach, which means no notion of implied trust, says Anand Oswal of Palo Alto Networks.

Susan Morse, Executive Editor

Anand Oswal, senior vice president and general manager, Palo Alto Networks, spoke at the HIMSS Healthcare Cybersecurity Forum in Boston.

Photo: Susan Morse

BOSTON – Medical devices are inherently vulnerable to security breaches, according to Anand Oswal, senior vice president and general manager of Palo Alto Networks, speaking at the HIMSS Healthcare Cybersecurity Forum here on Monday.

A major reason they're vulnerable is that they're connected in a way that's not always seen, Oswal said.

"You can only secure what you can see," he said. 

These unseen vulnerabilities create risk, with the threats outpacing the ability to stop them. Cyberattacks have increased tremendously. Between 2020 and 2021, there was a 200% increase in cyberattacks in healthcare organizations, he said.

Medical devices may also be old technology. An estimated 83% of imaging systems are running at the end-of-life stage; 75% of infusion pumps have unpatched vulnerabilities; and 72% of healthcare organizations have a mix of IT and medical devices within the same network.

These factors, combined with legacy security architectures, hinder compliance, Oswal said.

Medical devices must be proactively managed for compliance. Simplify compliance by knowing how and when critical medication devices are being used, Oswal said. Simplify operations by limiting the number of point solutions, invest in existing security talent and infrastructure, automate workflows, and onboard new devices and retire old ones. 

Great things are happening with connective devices, from an enhanced patient experience to improved patient outcomes, increased efficiency and reduced costs, Oswal said. There's also a lot of good data from these connected devices, such as smart pumps measuring and ensuring drug dosages that result in a better outcome for the patient.

But connections create vulnerabilities.

Best practices include adopting a zero-trust approach. This phrase is often used but also misunderstood. 

A zero-trust approach, Oswal said, "means there can be no notion of implied trust." 

Twitter: @SusanJMorse
Email the writer: SMorse@himss.org