Legacy applications and medical devices continue to present significant risks to healthcare IT environments, with many organizations unaware of the extent of their presence, according to Keith Fricke, partner and principal consultant at tw-Security. In an interview with Information Security Media Group at the Healthcare Information and Management Systems Society 2025 conference in Las Vegas, Fricke emphasized the importance of taking proactive steps to address these issues.
One key recommendation Fricke stressed was for healthcare entities to review any manufacturer disclosure statements (MDS) released by vendors, which outline the security profile of the devices and provide information on migration paths to more secure versions. Understanding the security controls of these devices and planning for upgrades can help mitigate potential vulnerabilities.
Furthermore, Fricke advised organizations to segment legacy products on their networks whenever possible. This approach can help isolate and protect these devices from potential threats, reducing the overall attack surface within the network. When introducing new products into their environments, healthcare providers should establish clear evaluation protocols to ensure that security considerations are prioritized from the outset.
Reflecting on recent cybersecurity incidents in the healthcare sector, such as the Change Healthcare ransomware attack and data breach affecting 190 million individuals, Fricke highlighted key lessons that organizations can learn from these events. He also underscored the need for improved governance around the use of artificial intelligence in healthcare, pointing to the emerging challenges and complexities in this area.
As a virtual Chief Information Security Officer (CISO) and cybersecurity advisor, Fricke brings over 35 years of IT experience to his role at tw-Security, with a specific focus on healthcare information security. Having previously served as CISO at Mercy Health, Fricke has a deep understanding of the strategic and tactical initiatives necessary to enhance cybersecurity posture in healthcare settings.
Looking ahead, Fricke emphasized the ongoing importance of addressing critical cybersecurity and privacy issues in the healthcare sector. By staying vigilant and implementing best practices, organizations can better safeguard their IT environments and protect sensitive patient data from potential threats. In an ever-evolving threat landscape, proactive measures and strategic planning are essential to maintaining the security and integrity of healthcare systems.