Steven Abrahamson
Director, Product Security Programs
GE Healthcare


Steven has experienced change agent in Medical Device Security, Quality Management Systems, and Lean Six Sigma process improvement. He is a certified Six Sigma Black Belt and Master Black Belt. He has leadership roles in Engineering, Service, Manufacturing. Supply Chain, and Compliance functions.


Steven will be one of the distinguished speakers at the Medical Device Cybersecurity Risk Mitigation Conference.


Why is the Medical Device Cybersecurity Risk Mitigation Conference important to medical device security and manufacturing teams?
Medical device security risk is a growing concern for medical device manufacturers and medical device users. Both manufacturers and Health Delivery Orgs (HDOs) must understand how to assess risk and apply appropriate remediation or mitigations. Manufacturers must recognize that both regulators and customers are very interested in this. Traditional “marketing” approaches no longer work, we must all recognize that security user needs are becoming as important as clinical user needs within devices. Furthermore, the risk goes across several over-lapping risk domains, including patient safety within intended uses, privacy protection, and other risks associated with deliberate malicious misuse. We must learn to assess and address all these types of risks within a holistic security process that is based not on compliance, but on real risk reduction for patients.


How has medical device cybersecurity evolved in the last several years?
I can see several significant changes in medical device cyber security over the last several years. One observation is that medical device security risk view is migrating from a focus on data protection to a focus on patient safety, and this provides further incentive to recognize multiple risk domains within our security risk management processes. Another observation, at a more practical level, is that many Health Delivery Orgs are now including some level of security assessment within their procurement process, and manufactures need to anticipate not only the need to implement security controls within their products, but also the need to provide usable information on security features and risks.


How do you see medical device cybersecurity evolving over the next 5-10 years?
I can see several trends in medical device cybersecurity. One is the growth in standards and frameworks. This will be a double-edged sword. On the one side, this will help drive some consistency in security risk management. On the other side, this can drive a compliance-oriented approach which can dilute true risk management. Another trend is growing involvement by regulators, although I am optimistic here since FDA has been very collaborative in looking for an approach that will help drive all manufacturers toward implementing some defined process for security risk management.


Why is this conference important to you as an industry leader?
It is important for the industry, and the health care ecosystem in general, to look for collaborative solutions to security risks. No one entity alone can solve this challenge. The only way the risk will be reduced at the patient-level will be if we do better as an industry. Any opportunity to collaborate, share information, and learn from one another, will help further this goal.