CISOs and CIOs know everything about closing holes to prevent cybercriminals from breaking into your network. One of the largest and most permanent causes of these holes is medical devices, which are innumerable in hospitals and healthcare systems.
Provider organizations have been at the mercy of medical device manufacturers and their security practices. This has long been a source of frustration, as many devices are designed and built with poor security practices in mind, and IT has little ability to fix new known security issues.
Healthcare IT News We talked with Samuel Hill, Product Marketing Director at Medigate, a healthcare cybersecurity and asset management company, about medical device security issues, leveraging purchasing power with medical device manufacturers, and buying low-risk devices.
Q. Why is the security of medical devices so big?
A. The resulting environment is volatile and dynamic, as so many connect to the healthcare network. As devices move and connection points change, security policies need to be agile enough to maintain a consistent effect, regardless of how and where they connect.
A serious threat is that the device is at risk and adversely affects the patient. The combination of inadequate device security and inadequate medical care management is causing the central problem of device security we are seeing today. Neither outcome is acceptable, whether the effect is theft of patient data or obstruction of care.
Medical devices are not safe in nature and some recent advances have been made in this area, but most medical institutions still have thousands of risky medical devices. Known vulnerabilities may take several years to receive a software patch. Medical institutions should use compensation controls to prevent these devices with known problems from being weaponized by malicious persons or their patients.
The gap in knowledge about the device and its use creates additional challenges. A valid and normative security policy is not possible without a clear understanding of what connects to the network. Unfortunately, many medical institutions do not have detailed knowledge of connected and unconnected devices, so it is nearly impossible to protect them.
Q. The large amount of money that healthcare provider organizations spend on medical devices each year should give them enormous purchasing power. Does the provider know enough about the device and how it is used and protected to harness purchasing power in negotiations?
A. Medical institutions typically use their purchasing power to negotiate better pricing for a range of devices. This is definitely necessary and good, but it may not take into account the opportunity costs and risks associated with device security. With more information about a particular device and the fleet to which it belongs, health care organizations can look at general trends and notify them of their purchasing decisions.
One of the key trends to note is device fleet utilization. On average, IV pumps are idle for approximately 58% of the time, reducing the need for additional purchases by making more efficient use of existing equipment.
Utilization of different models of the same device type may also suggest the preferences of frontline staff. Integrating multiple device types based on frontline preferences improves efficiency and improves the purchasing power of the entire healthcare institution.
Another trend to watch out for is the number and severity of known vulnerabilities and exploits for a particular device. I argue that one of the more powerful ways healthcare organizations can leverage their purchasing power for the benefit of their organization is to choose safer devices.
This financial pressure on device manufacturers will hopefully drive a higher level of security for the device from the beginning.
Q. You mentioned that you want to make your medical device safer, but your provider organization should choose to buy low-risk equipment. How is your organization working on this?
A. It is difficult to choose a more secure device without knowing the impact on the overall security of the device. It is important to put the right information in the right places to influence the decision-making process. By applying the basic task of collecting accurate device information over the network and potential devices, healthcare organizations can make better decisions.
In addition to reviewing the MDS2 form for each device, understanding known CVEs or recalls can guide long-term investment strategies. While each of these data points is useful, healthcare providers need to take additional steps to capture this information for use in the decision-making process.
An example is the ability of a device to patch. Some manufacturers require technicians to apply software or firmware patches. This can take a long time to repair. Knowing this, medical institutions can plan this time delay or purchase devices that allow third parties or the medical institution team to patch themselves.
Q. What is the most important advice on this issue to give to the CISO, CIO and other medical IT leaders?
A. One of my favorite definitions of leadership comes from Ronald Heifetz. He broadly defines leadership as mobilizing a group of people to deal with difficult challenges and ultimately win.
This hypothesis also applies to healthcare, as the need for security is well defined, but challenges remain. It’s time for those who are willing to lead to intense conversations with people, including device makers, who may not want to follow the logical and proven security direction you are showing.
The number of people engaged in this journey includes internal teams, including device manufacturers, and external partners.
It’s a good idea to start with a brief gap analysis of what your organization knows about secure network connections. Knowing where the gap lies is the first step in filling in the necessary details, as incomplete information only hinders strategic improvements in the security regime. Once you are familiar with your data infrastructure, you can evaluate your next steps and strategic plans.
Collaboration is essential, but it’s not new advice from the imagination. The complexity of security does not mean that it is impossible or that readers need to avoid the appropriate next steps.
As Heifetz states, “The goal is a victory in the face of adversity!” One of the secrets to this victory is a common data platform that all stakeholders can refer to when making medical device decisions. Must be. As with most things in life, better data allows healthcare institutions to make better decisions.
twitter: @SiwickiHealthIT
Send an email to the writer: bsiwicki@himss.org
Healthcare IT News is a publication of HIMSS Media.
