Jim Jacobsonjim jacobson
Chief Product and Solution Security Officer
Siemens Healthcare

 

Jim Jacobson is the Chief Product and Solution Security Officer for Siemens Healthcare. Since 2012, he has been responsible for the global security program for the medical devices and associated IT systems, solutions and services that Siemens Healthcare develops, sells, maintains and supports. He is also responsible for the internal processes that protect the privacy of patient data.

 

Jim will be one of the distinguished speakers at the Medical Device Cybersecurity Risk Mitigation Conference.

 

Why is the Medical Device Cybersecurity Risk Mitigation Conference important to medical device security and manufacturing teams?
As medical device manufacturers, we have an obligation to support our customers in their efforts to secure the healthcare sector of the critical infrastructure. The threats, and the risks they engender, are real. We are confronted with them daily. Cybersecurity is much more than a regulatory issue. Cybersecurity is a component of quality and contributes, ultimately, to patient safety. We must all learn how to improve in this effort to deliver secure medical devices.

 

How has medical device cybersecurity evolved in the last several years?
Healthcare cybersecurity has lagged behind other sectors historically, and this “debt” extends to medical devices that were not designed with cybersecurity in mind. Meanwhile, the threat landscape has only expanded in recent years. The fact that security researchers have been focusing on medical devices recently is a symptom of increased focus in general, including the attention of agents looking to exploit weaknesses in medical devices to gain entry into the healthcare infrastructure. The response to these threats by medical device manufacturers has been uneven. We need to raise the level of maturity of our industry in general to counter this increasing threat, recognizing that we can only do this through a collaboration between device manufacturers, providers, the security research community, regulators and other stakeholders.

 

What initiatives are on the horizon at your organization in 2016?
We don’t comment on future plans.

 

How do you see medical device cybersecurity evolving over the next 5-10 years?
To answer briefly, we don’t know where the next threats will come from. Given that, we have to shore up our cybersecurity programs overall, to strengthen the cybersecurity weak links in the medical device supply chain. We will adapt to the threats, but that is only possible if we design, develop, deliver, install, support and maintain our medical devices securely today. Tomorrow’s flexibility will be built upon today’s strengths.

 

Why is this conference important to you as an industry leader?
We are beyond the point of raising awareness in medical device cybersecurity. We need to raise capabilities, to ensure that medical device developers in companies of every size have the tools, capabilities and knowledge to provide secure products to our customers. This conference is an important step in achieving this goal.

 

If you had to describe medical device cybersecurity in one word, what would it be?
Immature.

 

What topics are you most excited about for the conference program this year?
I’m encouraged that the conference program focuses on the big picture — strategy — while informing on specific activities needed to achieve that strategy. In the first category, establishing a risk assessment strategy and collaborations are addressed, which is very positive. The specific topics of security requirements, vulnerabilities and intrusions along with coverage of cloud and web issues are encouraging.

 

What are the “key takeaways” for your presentation/panel discussion?
Overcoming the legacy debt of medical device cybersecurity requires careful, measured decisions. While there is a cost to all stakeholders for the historical lack of focus on the security of medical devices, the industry will be best served by avoiding the blame game. Instead we must concentrate on realistic, concrete measures and strategies. We can’t boil the medical device Cybersecurity Ocean, but we can make it a comfortable place to swim.