Medical Device Security Best Practices From Mayo ClinicMayo's Kevin McDonald a Featured Speaker at ISMG's Healthcare Security Summit
Kevin McDonald, director of clinical information security at Mayo Clinic, says ensuring the security of medical devices requires several specific steps, stressing that there's no "silver bullet" that can do the job.
"Because of the way that some of these devices are built so well, from a physical standpoint, you can use some of these machines for 10 or 20 years," he says in an interview with Information Security Media Group. "We're going to have to figure out how we can manage the software over that lifespan as well and make sure that that stays secure."
If that cannot be done, he says, "we're going to have to figure out some way to be able to just box things off into a separate area where we've got them isolated, we've increased the monitoring of them and are able to use a lot of other compensating controls."
Everyone is looking for a silver bullet - an easy solution to device security, he acknowledges. "We have companies all the time calling us trying to sell us a whole box of silver bullets. But it's going to take a combination of user education - so that people who use these devices on patients have a better cybersecurity awareness - and healthcare delivery organizations implementing compensating controls and having good security practices, as well as the vendors having security by design."
At ISMG's Healthcare Security Summit, to be held Nov. 13-14 in New York, McDonald will participate in a panel discussion on "Medical Devices: A Long Road Ahead to Security and Privacy."
In this interview (see audio link below photo), McDonald also discusses:
- The biggest concerns around protecting medical devices from cyberattacks;
- What can be done to alleviate IoT vulnerabilities;
- Moving to a less siloed and more transparent means of sharing information about medical device security.
McDonald is director of clinical information security at Mayo Clinic. He has over 35 years of experience in a variety of healthcare-related positions including direct patient care, electronic medical record implementation, design and beta implementation of software, project management, IT support services and information security.