Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report
Nov 19 2025
Security

CHIME25: Healthcare IT Leaders Rethink Device Security, Governance and Risk Management

Experts shared their insights on how to increase security maturity and improve security culture.
Jordan Scott
by

Jordan Scott is the web editor for HealthTech. She is a multimedia journalist with experience in B2B publishing.

Healthcare organizations know what’s at stake if they are faced with a successful ransomware attack: downtime, loss of data and loss of patient trust, in addition to potential impact on patient outcomes or even closure — and that’s after paying the ransom. Security leaders are aware of the threats and bad actors out there, but cryptocurrency payments are making it more difficult to trace the source of attacks. These factors are why healthcare organizations must take prevention and resilience seriously.

At the 2025 CHIME Fall Forum in San Antonio, healthcare security experts discussed tips for how to secure medical devices and Internet of Medical Things devices to create a strong security posture to withstand growing threats powered by artificial intelligence. They also discussed why governance and risk management are critical for a robust security program.

Click the banner below to read the recent CDW Cybersecurity Research Report.

na-prrsecurity-static-2024-na-desktop na-prrsecurity-static-2024-na-mobile

 

How to Keep Medical and IoT Devices Secure in Healthcare

During the pandemic, many healthcare workloads became remote, and organizations were forced to extend their networks, increasing health systems’ attack surface. Some of the workloads have stayed remote, and with new tools such as generative AI entering the landscape, maintaining a secure environment is becoming trickier.

“With generative AI, you can ask for a guacamole recipe as easily as you can upload patient data,” said Ravi Monga, CISO for healthcare at Zscaler. “The threat landscape is changing and evolving.”

Ismelda Garza, CIO of Cuero Regional Hospital in Cuero, Texas, explained that she learned early in her career that people are the hardest part of the job. Being able to educate people about security best practices — from the board and leadership to nurses, clinicians and physicians — is critical to preventing successful attacks.

However, Monga said, one problem he often sees is that education only flows one way. IT reports on risk to the CIO, and the CIO reports it to the board, but that information doesn’t flow down to clinical staff.

READ MORE: How can health systems re-evaluate employee security training?

“That bridge needs to be built, and clinicians need to be part of the conversation,” he said.

Medical devices and Internet of Things devices play a big part in the risk equation. Laptops, servers, desktops and nearly all IT devices are protected with robust security software, but medical devices are more difficult to protect. Some may have been created by businesses than went out of business over a decade ago. If patches are available, biomedical teams may not be ready to push a patch and face downtime, according to Monga.

Monga said to think of a hospital as a house: Attackers will come to the front door, see there’s adequate protection and will find a less protected entrance to use. Devices such as infusion pumps and smart TVs are often not protected or patched, providing an easy entryway for attackers. Taking those devices offline usually isn’t an option since clinicians need their information. As a result, those vulnerable devices give access to bad actors, who can sit in an organization’s network undetected until the right opportunity presents itself.

Ravi Monga
With generative AI, you can ask for a guacamole recipe as easily as you can upload patient data. The threat landscape is changing and evolving.”

Ravi Monga CISO for Healthcare, Zscaler

Attackers used to unlock data once the ransom was paid but now, they steal data, log in to systems and threaten to release data to patients in a three-pronged attack.

“You need to prevent this at the very first stage,” said Monga. “One way is to start at procurement.”

He explained that security assessments shouldn’t just be for existing devices; a procurement assessment should be built into the process. Monga recommended that organizations ask vendors to provide a software bill of materials so the IT team knows the software and components of each device.

“If you have the SBOM, then you know what’s at risk,” he added.

Microsegmentation is another important tactic healthcare organizations can use to protect their environments from the risk created by vulnerable devices. Having visibility into the devices and the ability to monitor traffic patterns is necessary for detecting unusual activity.

Tips for Governance and Risk Management Success in Healthcare

The investment in and function of governance, risk and compliance are the underpinning of zero harm in a healthcare organization, according to Jim Feen, senior vice president and chief digital and information officer at Southcoast Health, a health system with locations in Massachusetts and Rhode Island.

The organization decentralized its governance structure from traditional IT and instead created several contributing committees that influence Southcoast’s cyber risk agenda. These committees report to the cyber risk oversight committee. Feen said that a major reason for the restructuring is to embed conversations across the organization rather than leaving people siloed.

“We want to meet administrations, physicians and clinicians where they are rather than have a single-channel lens on IT risk and governance,” he explained.

Click the banner below to sign up for HealthTech’s weekly newsletter.

ht_newsletter_animated_q424_signup_desktop ht_newsletter_animated_q424_signup_mobile

 

“It’s good to have more people involved in the conversation,” added Matthew Shaw, CISO for Southcoast Health. He said it’s important to have representatives from different departments: “Their support helps us to improve our maturity and get us to where we want to be. It’s not perfect though. Everything takes time. Part of that process is decentralizing and communicating to all of the committees to people are aware of important information.”

One way the organization has improved its maturity is to take insights from the banking and finance industry, which has stricter compliance rigor and risk management practices. Shaw worked in the banking industry for 30 years before joining the healthcare industry.

Rather than relying on tabletop exercises and phishing tests, the organization actually does downtime resiliency testing. Feen explained that Southcoast will take Epic down on a Wednesday morning to test resiliency.

UP NEXT: Accelerate security strategies around Internet of Medical Things devices.

Shaw has also helped the organization to change its approach to third-party risk management. Southcoast does risk assessments on new vendors and will require remediation if necessary. The organization also defined its risk exceptions.

“We implemented a process of explaining risk to leaders and bringing them into risk exception decisions,” he said. “If a vendor goes to exception, we set deadlines and timelines and we monitor them. We review those exceptions with the cyber risk oversight committee. If a vendor is on our vendor watch list, we make sure they’re meeting our remediation recommendations.”

He said that while some vendors had never been asked for security remediation before, they’ve gotten used to it over the years, and the organization struggles with the process less and less.

Keep this page bookmarked for our coverage of the 2025 CHIME Fall Forum. Follow us on X at @HealthTechMag and join the conversation at #CHIME25.

ht-chime-q425-static-desktop ht-chime-q425-static-mobile
AnnaStills/Getty Images

More On

Related Articles