TRIMEDX Senior Vice President of Cybersecurity Scott Trevino recently contributed an article to 24x7 Magazine about the policies the Trump administration and new Congress should put in place to protect the U.S. healthcare system from cyberattacks. The full article, as it appeared on Feb. 11, 2025, is below.
Summary:
As cyberattacks on healthcare systems continue to rise, Scott Trevino, senior vice president of cybersecurity at TRIMEDX, argues that stronger policies are needed to protect critical infrastructure and patient safety. He highlights the fragmented nature of the US healthcare system as a key cybersecurity challenge, requiring a coordinated policy response. Trevino calls for Right to Repair legislation to allow hospitals and independent service organizations to service medical devices without manufacturer restrictions, expanded regulations to ensure cybersecurity protections apply to both new and existing devices, and targeted funding to help rural hospitals strengthen their defenses. Without action, he warns that health systems remain vulnerable to ransomware attacks, service disruptions, and compromised patient care.
Key Takeaways:
- Right to Repair policies could improve medical device security, Trevino argues, by giving hospitals and service providers access to repair tools and software updates, reducing cybersecurity risks.
- Current cybersecurity regulations do not fully address vulnerabilities in existing medical devices, prompting Trevino to call for broader manufacturer requirements to provide security patches.
- Rural hospitals face greater cybersecurity risks due to limited resources, with Trevino recommending targeted federal funding to help strengthen protections.
As the next presidential administration and a new Congress take office, healthcare cybersecurity should be a top priority. The healthcare sector is increasingly targeted in cyberattacks—putting critical infrastructure and patient safety at risk.
As healthcare organizations around the world confront nearly 2,000 cyberattacks every week, hospitals are facing mounting challenges in maintaining the cyber hygiene of medical devices to address known risks to health system networks.
Why healthcare cybersecurity matters
The healthcare industry is highly vulnerable and extremely lucrative for cybercriminals, making it the number one target for cyberattacks. It is the least mature of all critical infrastructure sectors in terms of cybersecurity, which makes it a frequent target. Ransomware attacks on hospitals can shut down facilities, delay life-saving treatment, reroute patients to less equipped hospitals, and jeopardize patient outcomes. These attacks can also have a devastating financial and reputational impact on health systems.
The US healthcare system presents unique vulnerabilities. The American system consists of fragmented, independently managed entities, rather than more centralized or national health systems seen in many other countries. While other countries wield the power of the government when guarding against cyber threats, the lack of uniformity in the US complicates cybersecurity efforts. Strengthening our cybersecurity posture requires a unified strategy, funding, and focused regulations that account for the complexity of medical devices.
Scott Trevino, senior vice president of cybersecurity at TRIMEDX, argues that, as the next presidential administration and a new Congress take office, healthcare cybersecurity should be a top priority.
Through meaningful cybersecurity policies, the 119th Congress and the Trump administration have an opportunity to make significant progress in strengthening the future of American health care and protecting patients.
Right to Repair: A crucial component of cybersecurity
Right to Repair is an essential part of medical device cybersecurity. The principle of Right to Repair ensures health systems have access to the tools, training, and resources needed to repair and update medical devices. It encourages healthcare organizations, service providers, and original equipment manufacturers (OEMs) to work openly and collaboratively. This benefits patients by ensuring they have timely access to care while decreasing costs, and improving cybersecurity.
Ensuring independent service organizations (ISOs) have access to service materials allows health systems to quickly secure devices and close critical gaps in their cyber defenses. When ISOs or qualified third parties are not able to act independently to address vulnerabilities with software updates, patches, or compensating controls, healthcare providers and patients can face delays in critical device availability and subsequent care.
By enacting Right to Repair legislation, lawmakers and the Trump administration can empower health systems to protect themselves and their patients from the growing number of urgent cyber threats.
Building on existing cybersecurity efforts
Policymakers should also build upon recent legislative and regulatory efforts to enhance medical device cybersecurity. In 2023, the Consolidated Appropriations Act (Omnibus bill), introduced important policies including the requirement that manufacturers provide a detailed breakdown of software in their devices and provisions requiring OEMs to provide patches to remediate vulnerabilities on new devices.
While these measures are a step in the right direction, they fall short of addressing the full scope of the problem. Policymakers should expand these requirements to cover existing devices and establish clear mandates for OEMs to provide patches and remediation solutions for known vulnerabilities.
Supporting rural health care
Rural healthcare providers face unique challenges in cybersecurity, with fewer resources, smaller IT teams, and limited budgets. These organizations can struggle to implement the people, processes, and technologies needed to defend against cyber threats. For many rural hospitals, unfunded mandates requiring more cybersecurity measures are unattainable without additional support.
In addition to imposing requirements, lawmakers should provide targeted funding to help rural healthcare systems acquire the necessary tools and expertise to protect themselves, their patients, and their communities. Ensuring rural health systems are equipped and prepared for cyberattacks will help ensure equitable protection across the healthcare industry.
A multi-pronged approach
Congress, the executive branch, nor the private sector can fully address medical device cybersecurity concerns on its own. These efforts require a comprehensive strategy and multi-faceted approach.
This approach should include:
- New limited, but impactful, laws and regulations that expand cybersecurity requirements for medical devices and health systems, ensure timely patch distribution, and empower healthcare providers through Right-to-Repair policies.
- The allocation of federal resources and funding to help healthcare organizations, particularly rural providers, invest in cybersecurity solutions and workforce development to achieve compliance with legislative and regulatory requirements.
- The strengthening and expansion of regulations to enable OEMs and health systems to bolster their cyber defenses, while also holding them accountable for device security.
- Collaboration and public-private partnerships to defend healthcare infrastructure.
Medical device cybersecurity has real-world consequences for patients, providers, and the future of American health care. Cyberattacks disrupt critical services, delay life-saving care, and put sensitive patient data at risk. Inaction will only exacerbate the problem, leaving health systems and patients exposed. Our country’s leaders have an opportunity to lead on this critical issue. Protecting the healthcare sector is a matter of public health, patient safety, and national security.