Mayo Clinic’s Kevin McDonald on Improving Security in Healthcare

Dec 8, 2017
Nikki McDonald


Given the increase in ransomware attacks over the past year, healthcare organizations are making medical device security a top priority. At this year’s Medical Device Security 101 Conference, attendees will learn how to identify their biggest security challenges and develop solutions to protect their data and their patients.

In this interview with conference co-chair Kevin McDonald, Director of Clinical Information Security at Mayo Clinic, Kevin talks about what healthcare providers can learn by attending the conference, the biggest security challenges facing healthcare today, and the two things healthcare providers can do right now to improve security and protect patients.

As co-chair of the Archimedes event, why did you decide to support Archimedes and this conference?

At Mayo Clinic our primary value is, “the needs of the patient come first” and our involvement in Archimedes helps us support this by improving the security and safety of medical devices. We also feel that we have a responsibility to be a leader in healthcare, understanding that not all healthcare providers have the time and resources to be able to  focus on medical device security. By supporting Archimedes and the conference, we are hoping we can provide a place where other institutions can learn and get tools to implement their own medical device security programs.    

Why should healthcare delivery people attend? What makes this conference different from the other security conferences?

This conference is exclusively on medical device security so it allows attendees to focus on one of the most critical security problems today. It is a great way to get a lot of information in a short time and to be able to have access to many experts. This conference also lets you get information and network with your peers and experts and make contacts that you’ll use in the future.

 What do you think is the biggest concern and risk for healthcare delivery organizations regarding medical device security today?

I think the greatest concern is that many of these devices are vulnerable to common malware and ransomware. Since it is hard to collect and track the software and configurations, it also makes it difficult to determine your overall risk.

What are the top two or three security changes healthcare delivery organizations can make to reduce the risk to medical devices?

There are two paths that healthcare delivery organizations need to take. One is to implement processes where new devices are assessed and held to simple, but effective, security standards. The second change is to risk assess your institution’s legacy devices and determine what mitigations you can put in place to lower your risk.

What examples can you offer on how healthcare delivery organizations can work with medical device manufacturers to improve device security?

All HDOs need to provide feedback to vendors on their security needs and what their standards are. You need to provide your vendors with the risks that these devices have to your patients and patient care processes and give directions on how the risks can be mitigated. In the end, everyone needs to work toward a common goal of secure and safe patient care.

At the Archimedes Medical Device Security 101 Conference coming up in January, Mayo Clinic Security Engineer Fotis Chantzis, and Mayo Clinic Principal Security Engineer Denis Foo Kune will be presenting and leading discussions. Can you briefly summarize what they will be speaking about?

Fotis has a master’s degree in computer engineering and information and will be speaking about common vulnerabilities and mitigation approaches. Fotis’s primary role at Mayo Clinic is performing vulnerability and penetration testing of medical devices. He brings several years of experience and deep technical expertise to the conference. Fotis will also be available during a “meet the expert” session.

Denis has a Ph.D. in computer science and has broad experiences in medical device security and identity and access management. He will be talking from a security engineer’s perspective about the impact of clinical leadership on security and how to move beyond the tension of clinical needs vs security.  


The Archimedes Medical Device Security 101 Conference takes place January 15-17, 2018 in Orlando, Florida. Register today for your opportunity to learn from the industry’s leading security researchers and practitioners.