Building a medical device security program isn't always easy – but it's worth it

In a preview of her HIMSS22 session, Tamra Durfee explains the importance of securing medical devices from a patient safety perspective and outlines key first steps for getting started.

The rise in connected medical devices has given providers the chance to access advanced diagnostic insights, allowing clinicians to monitor individuals remotely and respond to changing health needs more quickly. 

But at the same time, experts caution, the uptick in connected devices' use presents a potential security concern – one that could have a direct impact on patient safety outcomes.

"Today, medical devices are storing and transmitting data, are wearable and implantable," Tamra Durfee, virtual information security officer at Fortified Health Security, said in an interview with Healthcare IT News.  

"This exponentially increases the potential risk for patient harm if a hacker was able to take control of a medical device," she continued.

For example, she said, "There is the potential for a hacker to disrupt a patient's heart rhythm or send the wrong medication dosage."

Despite the importance of building a medical device security program, doing so from the ground up might seem daunting. Durfee, who will be presenting this March at HIMSS22, outlined a few key first steps, including identifying an executive sponsor, partnering with clinical engineering, organizing a working team, and defining a process for reportability and accountability.  

"It is extremely important to have support and buy-in at the executive level in terms of prioritizing the buildout of a medical device security program and providing the resources with time to work on it," she said.

"Without this, it may kick off, but it will not be a sustainable program that accomplishes the goal of reducing risk for the organization," she added.

She also raised the importance of including basic IT information in any medical device inventory to establish a risk score and prioritize remediation efforts. 

"You need to know where to start to reduce the most risk," she explained. "You then need the information in order to put a plan together with actionable steps to actually reduce the identified risks.

"Without basic IT information, you don’t know where to start or what steps to take," she said. Durfee acknowledged that the process of implementing a medical device security program can be a serious undertaking. Still, she said, "At the end of the day, nothing will get better if an organization does not start."  

"I hope someone is inspired to go back to their executive team and be able to use the information from this presentation to get the executive support needed to start building out a medical device security program," she added. 

"It is not an easy journey," she noted, "But it is worthwhile, and it is what we owe our patients."

Durfee will discuss more in her panel, "How to Build a Medical Device Security Program." It's scheduled for Wednesday, March 16, from 1-2 p.m. in Orange County Convention Center W330A.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Women In Health ITResource Center

Stay Informed

Subscribe today to receive our FREE monthly e-newsletter