In recent months it seems like not a week passes where you do not encounter a headline that states that a healthcare organization has been held for ransom or in some other way involved in a breach. Healthcare has been a sector that has routinely been described as being lax with the implementation and enforcement of information security controls and the challenges faced by healthcare organizations are growing as attackers begin to look past EHR and PACS systems and target the medical devices within them. That older but still very functional computerized medical supply cabinet which was installed to improve the efficiency of operations can now be seen as a liability in that its aging unpatched control node may contain hundreds of unpatched vulnerabilities. Vulnerabilities that in the case of malware like Medjack can be used to compromise the device and use it as a staging ground for attacks against other hospital systems. In some cases, however, the risk goes beyond just a breach vector and can directly impact human life. What if that infusion pump’s dosage was illegitimately changed or the pacemaker programming made malicious? What if Brickerbot took out a surgical robot or a heart monitor at a critical time? These issues could readily give a whole new meaning to the term Denial of Service and cannot be ignored. While the FDA recently issued some guidance for the manufacturers of such devices, the secure deployment of such devices is also critical for security as all of the security features in the world are useless if no one terms them on or configures them improperly. This presentation will discuss the OWASP Secure Medical Device Deployment Standard and requisite methods that can be used to securely deploy medical devices in order to help to prevent their compromise as well as mitigate the damage that can occur if a successful compromise were to occur.