Healthcare organizations must address med device cybersecurity 'knowledge gap'

Healthcare organizations must close the "knowledge gap" among the various staff members involved with medical devices to improve their cybersecurity preparedness, according to Stephen Grimes of consulting firm Strategic Healthcare Technology Associates.

Grimes, in an interview with, says such entities must educate and develop procedures for their IT teams, biomedical engineers and clinicians to help them understand and more quickly react to the vulnerabilities and risks inherent in these products.

People on the IT side might not fully understand the medical side of things and vice versa, he says.

"There needs to be some significant collaboration, getting those two groups on the same page, as well as bringing in the users of these technologies, which are primarily the clinicians, but also the leadership," Grimes says.

Manufacturers also must be brought into the collaboration to help clinical engineering and IT teams secure devices in a real-world environment.

He says the average 500-bed hospital often has more than 7,500 medical devices with potential security risks that must be addressed.

"[Healthcare organizations] need to become educated about the vulnerabilities, what are the issues, and what is the scope of the challenges within their own organization," Grimes says.

In a previous interview, security researcher Billy Rios said security research is on the upswing and he expects more warnings from the U.S. Food and Drug Administration about medical devices.

Last month, the FDA issued draft guidance on postmarket cybersecurity of medical devices. It followed up on previous guidance published in October 2014 outlining how medical devicemakers should address cybersecurity risks in the pre-market design of their products. IEEE Cybersecurity Initiative also published guidance on medical device security during software development.

To learn more:
- here's the interview