Tips for Vetting Medical Device Makers on Security IssuesConsultant Kim Hirsch on How to Assess Cyber Risks
Healthcare organizations must carefully vet their medical device suppliers to scrutinize how they're handling the security of legacy products and the lifecycle design of new devices, says consultant Kim Hirsch of Fusion Risk Management.
"You've got to be proactive - don't wait for manufacturers to come to you - reach out to them to find out what they're doing about IT security threats, and if you don't like the answer, use your leverage as a buyer to pressure them to do the right thing," Hirsch says in an interview with Information Security Media Group.
"Remember, you can't outsource risk. You might think you can blame a third party if a problem arises, but it's not that simple," she stresses.
For instance, if there's a safety problem linked to a security issue with a medical device, "consumers are going to assign blame - and probably litigation - to everyone involved," she notes. "Security is a co-responsibility between you and your partners."
Big Picture Risks
When considering what new devices to acquire, Hirsch says, organizations should be "partnering with manufacturers that are considering cybersecurity during the design phase of the medical device lifecycle," she says. Vendors that have a proactive risk-based approach will "fare better over time and be better partners to you through the device lifecycle," she adds.
In the interview (see audio link below photo), Hirsch also discusses:
- Other vendor security risk management considerations;
- Issues involving cyber insurance and ransomware attacks;
- Common areas of "complacency" around security risk management that can create even more added risk for healthcare organizations.
In her role as advisory team lead at consulting and software firm Fusion Risk Management, Hirsch oversees a group that provides subject matter expertise to help plan, implement and exercise enterprise business continuity, disaster recovery, crisis management and operational risk strategies and vendor management programs. She has nearly 20 years of experience as a business continuity and crisis management practitioner at Fortune 100 companies. Most recently, she was the crisis response manager at Ameriprise Financial, and prior to that was the senior business partner for global continuity and resilience at Target Corp.