Securing Medical Devices and IoT: Safeguarding the Digital Edge
Connected devices, from infusion pumps and telemetry equipment to the smart TVs in patient rooms, are now essential to care delivery. But each device can also become an open door for cyber criminals. In this success story session, healthcare leaders reveal how they confronted the unique security challenges of medical devices and IoT across diverse healthcare settings, including rural environments, where limited budgets and resources require creativity and innovation. The conversation explored real-world strategies, from staff engagement and board education to segmentation and Zero Trust models, all while grounding the discussion in today’s evolving threat landscape.
Speakers
- Ismelda Garza – CIO, Cuero Regional Health Care (49-bed rural hospital, Texas)
- Ravi Monga – Healthcare CISO, Zscaler; former CISO at St. Luke’s & Children’s Mercy
Rural Healthcare Challenges
- Limited budgets, small teams, staff wearing multiple hats.
- Strong community ties drive resilience and innovation.
- IT is now inseparable from patient care (IV pumps, monitors, telemedicine).
- Infrastructure upgrades (organized wiring closets, color-coded systems) improved staff confidence and reliability.
Cybersecurity Threat Landscape
- Ransomware evolution: Bitcoin enabled anonymous payments; healthcare records became lucrative ($500 vs. $50 for personal data).
- COVID remote work expanded attack surfaces.
- Generative AI risks: misuse of patient data.
- Medical devices & IoT vulnerabilities: often unpatchable, legacy protocols, easy entry points.
- Detection gap: intrusions remain undetected for ~181 days.
- Modern attacks are three-pronged: data theft, system hijack, reputational threats.
Key Strategies
- Education & communication: Must reach all levels — board, leadership, clinicians.
- Procurement-based security: Require software bill of materials (SBOM) for new devices.
- Segmentation & micro-segmentation: Limit device and traffic access to reduce attack spread.
- Zero Trust principles: Verify “who, where, why” for device communications; contain abnormal traffic.
- Partnerships: Rural hospitals rely on external expertise to bridge technical gaps.
Cybersecurity in healthcare is inseparable from patient safety, and this is especially true for rural hospitals that often operate with limited budgets and lean teams. Despite these constraints, resilience can be strengthened through several key strategies. First, embedding security into procurement ensures that new medical devices and IoT systems are vetted for vulnerabilities before they ever enter the network. Second, educating across the organization, from board members to clinicians, builds a culture of awareness and accountability, making cybersecurity a shared responsibility. Third, implementing segmentation and Zero Trust principles helps contain threats by limiting device and traffic access to only what is necessary, reducing the risk of lateral movement within systems. Finally, partnering with external experts provides rural hospitals with the technical depth they may lack internally, bridging gaps in skill and resources.
The bottom line is clear: protecting medical devices and IoT is not optional. It is essential to safeguarding patients, preserving data integrity, and maintaining trust in healthcare delivery.