I’m co-leading this effort with two colleagues, and we’re on track to publish by fall 2025. We’re excited about this work and eager for feedback on this new methodology for addressing systemic risk.
HCB News: Building on those resources, how should healthcare leaders prepare for cyber incidents involving medical devices, and what role does HTM play?
SJ: Downtime and response plans need to be developed, tested, and rehearsed. How will hospitals provide care without a network, access to data stores, or connections to third parties? How will images be taken—or read? How will tests be performed, and drugs and therapies delivered? How will reports and results be shared with providers? How will teams communicate? How will patients be transferred? How will charges be collected? How will supplies be ordered and delivered?
Ad Statistics
Times Displayed: 36479
Times Visited: 974 Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money
All these questions need to be discussed and planned for, documented and tested, refined and refreshed regularly. Any workflows, changes, or workarounds that affect medical devices must include HTM involvement in the planning, testing, and response phases.
HCB News: What are your recommendations for managing medical device cybersecurity with limited resources?
SJ: Prioritize, and then determine which types of mitigations can be implemented. Your cross-functional IT, cybersecurity, HTM, and risk teams should work together to assess devices and categorize them by risk level.
High-risk devices need specific plans in place—but those plans don’t always have to be implemented solely by HTM. In some cases, network-based security mitigations can be applied, requiring little or no direct involvement from HTM teams. While HTM may provide input on how devices are used, IT often handles the technical implementation.
Teams should also explore enabling automatic updates or patches for systems that support them. These automated processes can be integrated into IT’s existing patching workflows, leveraging current automation tools and minimizing the burden on already resource-constrained departments.
By prioritizing automated or network-level mitigations first, the remaining work required for high-risk devices becomes more manageable and realistic for teams to address.
HCB News: How can manufacturers and providers collaborate better for ongoing cybersecurity support?
SJ: The biggest challenge is communication. Ideally, setting clear expectations for all communications (including timing, content, response time, etc.) and patching during the acquisition process gives hospitals the most leverage. Even so, most hospitals have very little ability to influence manufacturers’ internal processes or the type and content of communications and patches. But instead of throwing up our hands and giving up, we need to keep requesting information and holding vendors accountable for producing patches promptly. We need timely and transparent updates to keep patients safe.
For hospitals having trouble obtaining necessary information, the FDA requests that they report issues using the MedWatch reporting process at https://www.accessdata.fda.gov/scripts/medwatch/index.cfm. Reporting gives the FDA a broader understanding of issues, enabling them to set expectations that align with current regulations.
Back to HCB News
