Who Owns IoMT Security? Real-World Examples of Manufactures Overcoming Security Risks @HIMSS24

4  min read | 21/03/2024

Hadas Spektor
Hadas Spektor
Emily Holmquist
Emily Holmquist

As IoMT continues to revolutionize the healthcare industry, the responsibilities surrounding its security become paramount. Our Medical Device Security Technical Lead, Emily Holmquist, analyzes the pivotal role of medical device manufacturers (MDMs) in not only addressing security concerns but also in fostering a culture of proactive risk management within healthcare delivery organizations (HDOs).

Through real-world examples, this talk explores the significance of leveraging IT advancements in IoMT security, emphasizing how technology can not only fortify the resilience of connected medical devices but also enable seamless collaboration between MDMs and HDOs.

This is a comprehensive exploration of the strategies and mechanisms deployed by MDMs, examining how these technologies have become a linchpin in the effective management of security risks within IoMT. This talk offers valuable insights for industry professionals, highlighting the transformative power of strategic partnerships and innovative technologies in ensuring the robust security posture of IoMT systems.


Emily Holmquist: Hi everybody, and welcome. Thank you for joining this discussion today about the ownership of medical device security. This is a discussion between MDMs (medical device manufacturers) and HDOS (health delivery organizations). By the end of this presentation, you’ll have a few examples of how MDMS are working with HDOS to deliver more secure devices and manage risk throughout the entire device life cycle.

I’m Emily Holmquist, an engineer. I’ve been a technical contributor since 2010, right out of college. I joined a small medical device manufacturer and am currently at Sternum, providing medical device manufacturers with the tools and solutions to deliver secure devices.

Who here has not seen or heard this statement? Don’t be shy. It’s OK if you haven’t. This is great. I was prepared for one or two people, but everybody’s heard this. I mean, you’ve seen it here; it’s actually right there. I’ve seen it on lanyards. But the reason I’m bringing this up to start our discussion is because this is our mission. It is our goal. MDMs, and HDOS that unite us. We both want the same thing. Now, how we get there looks a little bit differently, and we have different challenges or burdens like Frodo and The Ring. We’re burdened. It’s hard. It’s hard to do.

When I was working with an MDM as an engineer, it felt like secure design couldn’t be done. It felt like I didn’t have the resources, technology, tools, or business support. That was really frustrating because I wanted to deliver security design, and my colleagues did too. From the HDOS perspective, their hands are tied. They do not design and develop the medical device; they receive it. And so now they’re left with a choice. They can either accept the medical device and its potential security risks, or they cannot accept the device and not have that device delivering care to patients. Both are suboptimal options.

This tension between these parties has led to frustration. I’ve seen it firsthand. For anyone who’s worked in model contracts or negotiations between MDMS, it is a lengthy and sticky, tension-filled process. I’ve actually seen one take over a year, going towards two years, and that just kind of blows my mind. This tension has to change. We have to do something about it now because there’s an urgency. Our critical infrastructure of healthcare is under active attack.

The purpose of discussing these examples is to emphasize the importance of our critical infrastructure. Medical devices are part of that. We know government agencies are responding to this crisis, but medical device security is better than it was five years ago, but there’s still more that we need to do. That’s why the FDA and other agencies have released updated guidance that’s expanded their authority and is requiring manufacturers to do something now.

The good news is there is a solution. There’s a path forward for MDMS, medical device manufacturers, and HDOS collectively, and it’s a combination of process and technology. What feeds this loop is the people aspect, the MDMS, and the HDOS. But today, I’m going to focus on the process and the technology.

Implementing secure design controls into the medical device as early as the conception is crucial. Alongside that are procedural controls. How do we do this? Who owns what? What are the roles and responsibilities? By the end of this presentation, you’ll have some examples of how this solution is working today.

I am a task group member of the Health Sector Coordinating Council. We created a publication called The Model Contracts that defines the ownership and contractual terms, meant to facilitate and ease this process.

On the technology side, where I’m currently at Sternum, we are working with manufacturers, empowering them to implement security design into the medical device from conception and legacy devices as well to proactively mitigate threats by preventing the exploitation of vulnerabilities.

In my first example, in 2020, Medtronic, a secure independent security researcher approached Medtronic and found a vulnerability in a class 3 medical device. Medtronic listened and responded by implementing Sternum’s threat prevention technology, preventing the exploitation of the vulnerability.

In another example, a midsize manufacturer came to Sternum with a legacy device that had significant design flaws. Sternum helped them by implementing runtime SBOM prioritization and runtime protection, proactively preventing threats and mitigating critical vulnerabilities.

These examples show that we’re implementing the solution faster. We’re all friends here, MDMS and HDOS. We want to get along. We all want the same thing, and we can do it together through process and technology. If you want to hear more examples, please reach out to me. Thank you for joining the discussion and have a great rest year.


Enter data to download case study

By submitting this form, you agree to our Privacy Policy.