Cybersecurity Track at eXchange


With more than 80+ education sessions available for attendees, learning from recognized experts from the health technology field could not be easier at the AAMI eXchange. Cybersecurity and its intersection with healthcare technology management has been one of the most discussed topics of the year. We are thankful to Asimily for sponsoring this year's Cybersecurity track at eXchange, featuring education sessions that will enhance your knowledge of the expanding impact and implications of cybersecurity developments on healthcare delivery. Be sure to stop by Booth 1421 in the eXchange Expo Hall to learn more about all Asimily does to support the HTM community. 


Educational sessions in the Cybersecurity track will cover everything ranging from secure device procurement and storage strategies to written resources and automated tools for assessing device vulnerabilities. 

Here is the full session list for the Cybersecurity track:

Saturday, June 17

7:15 AM-7:45 AM

Medical Device Cybersecurity-HTM and IT Security Partnership

Jeff Hooper, PhD, Children's National Hospital

The Children's National Medical Center created a formal program for medical device security. This program addresses the collective goals of the clinical mission and the IT Security initiatives of organizations. To achieve programmatic goals, the Medical Device Cybersecurity Working Group was established. The Medical Device Cybersecurity Working Group is composed of the technology teams from healthcare departments, such as, Radiology, the Cardiology, lab, Telemedicine, Pharmacy & HTM, and the nursing leaders. The technology teams include the administration of asset management, security risk assessments, vendor expectations, vulnerability management, and a patch management strategy within the program.

8:00 AM-9:00 AM

Is Your IoMT Incident Response Effective?

Priyanka Upendra, BS, MS, CHTM, AAMIF, Asimily and Ali Youssef, BS, PMP, CISSP, HCISPP, CISM, CPHIMS, CWNE, Henry Ford Health  

The Internet of Medical Things (IoMT) cybersecurity is a growing concern in the healthcare industry. The healthcare industry remains the most vulnerable of targets. Healthcare providers are suffering an average of $100M loss due to unexpected security breaches affecting the integrity of patient data, confidentiality of sensitive information, and the availability of critical information systems. This session provides an overview of critical components of incident response as described by IoMT and HTM/CE experts. The session discusses the mechanisms used for proactive detection of suspicious activities, unauthorized vendor and employee access, and forensic analysis. Session speakers provide insights to conducting tabletop exercises with key stakeholders to ensure effective incident response management.

9:15 AM-10:15 AM

Updated: HHS 405(d) Recognized Security Practices-Medical Device Security

Ty Greenhalgh, HCISPP, Medigate by Claroty

The Health Information Technology for Economic and Clinical Health (HITECH) Act, updated in 2021 to provide a “Safe Harbor” for the protection against Office for Civil Rights (OCR) violations to include fines, fees, and post-breach oversight costs. To be considered for protection, Health Delivery Organizations (HDOs) must document compliance with specific recognized security practices, such as the 405(d) Health Industry Cybersecurity Practices (HICP) originally created in 2018 and Medical Device Security practices. As a directive from the 405(d) chair to work with the U.S. Food and Drug Administration (FDA) and the U.S. Department of Health and Human Services (HHS), the speaker is currently updating the Medical Device Security section and best practices approach to compliance. The finalized release of this update is pending release the end of 2022.

From Good to Great: How to Accelerate Your Cybersecurity Program

Andy Ulvenes, MBA, FACHE, First Health Advisory and Gene Winfrey, University Health-San Antonio and Olin Dillard, First Health Advisory

We will discuss why, when, and how to accelerate a medical device cybersecurity program. Every organization has challenges, whether with resources, strategy, or direction. In collaboration with University Health System, we were able to identify limitations to enhance maturity and partnered with First Health Advisory to radically uplift UHS's security posture while integrating people, processes, and technology. Join us as the speaker shares challenges, overcoming challenges, and how collaborating with First Health helped support a business case and map/integrate appropriate technologies to enhance the program.

Sunday, June 18

8:00 AM-9:00 AM

Clarifying Healthcare Cyberattacks: Insight and Actions to Protect Patients

Chad Holmes, BS, Cynerio

Since 2020, the healthcare industry has been impacted significantly by the alarming rate of cyberattacks. With minimal understanding of the full extent of those impacts, patient data is at risk. The Ponemon/Cynerio release of “The Insecurity of Connected Devices in Healthcare” has significantly clarified the cyberattack landscape. From the financial impact to compromised patient care, the report represents the voices of healthcare leaders from 517 hospitals. This talk focuses on report findings, provides critical data, and introduces modern approaches to combat cyberattacks.

4:15 PM-5:15 PM

Building a Cyber-Capable Organization-Making Sure the “Shoe” Fits

Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, MedCrypt and Stephen Grimes, FACCE, FHIMSS, FAIMBE, AAMIF, Strategic Healthcare Technology Assoc.

Hospitals across the world face an increase of cyberattacks that often lead to severe and long-lasting consequences for healthcare organizations. Today's healthcare facilities need to focus on improving their technical and organizational cyber-capabilities and assure the integrity of their medical device ecosystem. But… no two organizations are alike. This session describes how organizations find the right-fit based on understanding their risks, capabilities, and resources. The session also reviews common organizational models, offers guidance on how to implement cross-functional touch points, and provides an update on available educational resources and evolving regulations and standards.

Mayo Clinic Best Practices: Streamlining Vulnerability Management in Healthcare

Keith Whitby, Mayo Clinic and Jim Hyman, Ordr Inc.

During the past few years, the frequency of reported vulnerabilities that affect medical devices has significantly increased. There is an increasing urgency to patch vulnerabilities faster, but vulnerability requirements require a broad strategy. Within an active patient care environment, stopping everything to patch devices is not a viable option. Some medical devices are not available for patching due to FDA regulations. A patch may not be available for devices running outdated operating systems. In this session, Keith Whitby, Section Head, HTM at Mayo Clinic and Greg Murphy, CEO of Ordr describes best practices to streamline vulnerability management.


8:00 AM-9:00 AM

Greener Cybersecurity Pastures Ahead: Expectations for Clinical Engineers

Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, MedCrypt and Vidya Murthy, MBA, MedCrypt

In April 2022, the FDA released new Premarket Draft Guidance, revealing the most critical requirements for manufacturers to build secure devices. This session explores what this means for clinical engineers and how the FDA guidance will positively impact devices of the future. How can hospitals prepare their organizations for the shifts necessary and assure that the devices they are buying are indeed more secure? Developing a long-term security strategy will ensure secure future devices by design and remain secure throughout the device life cycle. This strategy includes aspects of contracting, security assessments, staff education, and technical security controls.

9:15 AM-10:15 AM

Who Should Lead Medical Device Cybersecurity Management?

James Keller, MS, MedSec and Phillip Englert, Health-ISAC

The two major stakeholders in medical device cyber security management are IT and clinical engineering. Both require a deep subject matter expertise, often with a higher-level of technology focus from IT and greater clinical focus from clinical engineering. Depending on the institution, medical device cybersecurity management could be led by IT, clinical engineering, or a team approach from both groups. This session addresses the advantages and disadvantages of each approach and will, in part, be based on lessons learned from a series of interviews of hospitals on the effectiveness of their medical device cybersecurity program leadership.


Thank you to our sponsor ASIMILY for bringing this important learning to the AAMI eXchange!