By Keri Forsythe-Stephens
With cyber threats growing more sophisticated by the day, healthcare facilities need strong strategies to keep medical devices secure. Yet outdated systems and poor communication continue to plague the industry, says Samantha Jacques, PhD, FACHE, AAMIF, associate vice president of clinical engineering at McLaren Health Care and a member of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. In the following Q&A, Jacques shares what’s working, what’s not, and why collaboration—not blame—is the only path forward.
HCB News: How has the threat landscape evolved for connected medical devices, and what vulnerabilities concern you most today?
Ad Statistics
Times Displayed: 7762
Times Visited: 187 Keep biomedical devices ready to go, so care teams can be ready to care for patients. GE HealthCare’s ReadySee™ helps overcome frustrations due to lack of network and device visibility, manual troubleshooting, and downtime.
Samantha Jacques: Unfortunately, the landscape hasn’t changed much on the device/hospital side. Legacy devices still litter the environment, and manufacturers remain behind in developing and releasing medical devices with supported operating systems. Robust patching programs are few and far between. Transparent, consistent, and timely communication between manufacturers and device owners about risks and vulnerabilities is largely nonexistent.
From a broader ecosystem perspective, the threat landscape is worsening. Previously, bad actors would spend months developing their skills and refining their attacks. Now, we’re facing immature, non-technical actors leveraging AI tools to build sophisticated attack vectors—more advanced than we’ve seen—within just two to three days.
We’re also contending with increased coordination among nation-states. Overall, it’s not a pretty picture.
HCB News: As a healthcare technology management (HTM) expert, how can HTM teams best collaborate with IT and cybersecurity to reduce medical device risks?
SJ: First and most importantly: communicate. Most IT and cybersecurity teams are aligned with HTM teams in their shared goal of delivering safe and secure patient care. However, IT and cybersecurity processes—such as governance, risk, and compliance (GRC) assessments, identity management, and patching—are often not well understood by HTM teams.
Likewise, the medical device lifecycle and the limitations on patching and implementing security controls are not well understood by IT and cybersecurity teams. Building a basic understanding of these processes across departmental lines is critical. From there, teams can define hybrid roles, responsibilities, and the input each group can provide to more effectively collaborate on solutions that bridge the gap between departments.
Steven Ford
Software Security Updates
July 07, 2025 12:01
There is no requirement that manufacturers provide an ongoing system to address future security threats that develop on connected devices. So we have CTs and MRIs that are running on Windows XP, and even more modern OSs do not receive updates. This is a huge threat to public safety and security. There are devices in the US running on Windows 2000.
to rate and post a comment