Medical Device Security Risks

Christopher Frenz, Director at Interfaith Medical Center based in USA, participates in Risk Roundup to discuss Medical Device Security Risks.


Medical devices are increasingly getting connected to the internet, hospital networks, and to other medical devices. As a result, just like any other connected computer system, medical devices are also becoming vulnerable to security breaches from cyberspace, geospace and space (CGS).

While the on-going breaches potentially impacts the safety, security and effectiveness of medical devices, it also brings to light the developing fear and mistrust towards the hospitals. When the human lives are at the center of this rapidly evolving vulnerable healthcare ecosystem, understandably, security of medical devices becomes a significant risk management concern.

It is therefore important to evaluate its security risks-

  • How vulnerable are medical devices to security challenges from cyberspace, geospace and space (CGS)?
  • What is the impact of CGS integration on medical devices?
  • How prepared are healthcare organizations for its security in cyberspace, geospace and space?
  • Where is the CGS connectivity taking medicine and healthcare sector?
  • How many potential entry- points any average hospital has for hackers to get through?
  • How effective is medical device authentication?
  • What are medical device security trends?
  • How easy it is for hackers to take the hospitals offline?
  • How effective is medical data security?
  • How are medical devices operating system security risks managed?
  • How are medical devices network security risks managed?
  • How are security risks of implantable medical devices (IMDs) be managed?
  • How is the software updated in connected as well as standalone medical devices?
  • Are patients aware about the security risks to their life when they imbed medical devices in their body?
  • How is the security of a medical device measured?
  • How should a cybersecurity risk management program for medical devices should look like?
  • What role social media plays in security vulnerability?
  • Are regulated medical devices more vulnerable to security vulnerability or unregulated medical devices?
  • Are the portable devices secure?
  • What are some high-profile security breaches that we have observed in the implantable devices (IMDs) over the years?
  • How are hospitals monitoring medical devices?
  • Will humans be able to manage the security risks of medical devices?
  • What role will blockchain play in medical device security?
  • How many medical device security risks are insurable?
  • What are FDA recommendations for hospitals for mitigating and managing cybersecurity threats?
  • What are the FDA recommendations for medical device manufacturers for mitigating and managing cybersecurity threats?
  • Are manufacturers, required to notify users of any security vulnerability update?
  • How secure are electronic health records in all its storage formats—cloud to hard drives, servers and so on?
  • Since the medical devices lasts for years, is there a mechanism to update the software as necessary?
  • Are medical device manufacturers accountable of implementing comprehensive cybersecurity controls throughout a product’s lifespan?
  • Is medical device manufacturing industry taking charge to ensure that the right balance is found between functionality and security?
  • What are the key risks associated with DDoS (distributed denial of service) attacks? How is the medical device manufacturing addressing these risks when developing new products?
  • What role does the proliferation of connected devices play in the execution of a (distributed denial of service) DDoS attack? How should device manufacturers assume responsibility for cybersecurity risks?
  • What supply chain issues and challenges exist for medical devices hardware and software developers? What industry consensus mechanisms exist on how to address these challenges?
  • What are the best practices available to address security issues?

As healthcare is on its way to becoming the largest attack surface for cybersecurity warfare, the big question is where would this end and what can be done?

As we evaluate the medical device security risks, the concerns that in the coming years we, the humans, with our limited human intelligence, will not be able to secure medical devices surrounding us by just our efforts, is getting very real.

For more please watch the Risk Roundup Webcast or hear Risk Roundup Podcast

About the Guest

Christopher Frenz is the Director at Interfaith Medical Center and focuses on healthcare information security and privacy. He has authored 2 computer books and over 75 technical articles. The OWASP (Open Web Application Security Project) “Secure Medical Device Deployment Standard” and “Anti-Ransomware Guide” are some of his notable publications.

About the Host of Risk Roundup
Jayshree Pandya (née Bhatt) is a visionary leader, who is working passionately with imagination, insight and boldness to achieve “Global Peace through Risk Management”. It is her strong belief that collaboration between and across nations: its government, industries, organizations and academia (NGIOA) will be mutually beneficial to all—for not only in the identification and understanding of critical risks facing one nation, but also for managing the interconnected and interdependent risks facing all nations. She calls on nations to build a shared sense of identity and purpose, for how the NGIOA framework is structured will determine the survival and success of nations in the digital global age. She sees the big picture, thinks strategically and works with the power of intentionality and alignment for a higher purpose—for her eyes are not just on the near at hand but on the future of humanity!
At Risk Group, Jayshree is defining the language of risks and currently developing thought leadership, researching needed practices, tools, framework and systems to manage the “strategic and shared risks” facing nations in a “Global Age”. She believes that cyberspace cannot be secured if NGIOA works in silo within and across its geographical boundaries. As cyber-security requires an integrated NGIOA approach with a common language, she has recently launched “cyber-security risk research center” that will merge the boundaries of “geo-security, cyber-security and space-security”.
Previously, she launched and managed “Risk Management Matters”, an online risk journal and one of the first risk publications, publishing “Industry Risk Reports of Biotechnology, Energy, Healthcare, Nanotechnology, and Natural Disasters” over the course of five years. Jayshree’s inaugural book, “The Global Age: NGIOA @ Risk”, was published by Springer in 2012.

About Risk Roundup

“Risk Roundup” is an “integrated cybersecurity and strategic security risk dialogue” for nations: its government,  industries, organizations and academia (NGIOA) in cyberspace, geospace and space (CGS).Risk Roundup is released in both audio (Podcast) and video (Webcast) format and is available for subscription at (Risk Group WebsiteiTunesGoogle PlayStitcher RadioAndroid, and Risk Group Professional Social Media).

About Risk Group
Risk Group believes that risk management, security and peace walk together hand in hand. Though security is related to management of threats and peace to the management of conflict, risk management is related to management of security vulnerabilities as well as management of conflict, and it is not possible to conceive any one of the three without the existence of the other two. All three concepts feed into each other. Risk Group believes that the security we build for ourselves is precarious and uncertain until it is secured for everyone across nations. Tradition becomes our security-so if we build a culture of managing risks effectively it will lead us to security and security will lead us to peace!

Copyright Risk Group LLC. All Rights Reserved