The Complexity of Managing Medical Device Security RiskPhil Englert of H-ISAC on the Challenges of Extreme Device Diversity
The tens of thousands of very specialized types of medical devices used in clinical settings contain multitudes of diverse architectures and systems. That myriad of technical specifications adds to the complexity healthcare organizations and manufacturers face in managing cybersecurity risk, says Phil Englert, director of medical device security at the Health Information Sharing and Analysis Center.
"It's very difficult for organizations to understand and quantify where the risks lie, how to put programs in place and how to approach this," he says.
But those challenges are not faced only by the healthcare entities that use these devices, he says.
"It's also the manufacturers themselves - especially the large ones that have multiple product lines that are distinctively different from each other. It's difficult to say, 'This set of controls will work ubiquitously across these technologies,'" he says.
"That diversity is really the challenge for the industry as a whole," he says. "Being able to segment those challenges into manageable chunks and identify the similarities that can be managed with the same sorts of solutions … is the key to moving forward."
In the interview (see audio link below photo), Englert also discusses:
- Why legacy medical device cybersecurity challenges are especially difficult;
- Steps healthcare organizations should consider taking to help improve security risk management and incident response involving medical devices;
- His long career in medical device cybersecurity leading him to recently join H-ISAC in a brand-new position to help enhance and expand the organization's focus on information sharing and collaboration in the healthcare sector related to medical device security.
Englert has over 30 years of technical and operational leadership experience in healthcare and life sciences. He was most recently the chief product officer for MedSec, a cybersecurity consulting and services firm that focuses on hospitals and medical device manufacturers. Prior to that, he served as global leader for medical device cybersecurity at Deloitte, where he led client engagements developing medical device security programs.