CONNECTING WITH CARE
Managing Cybersecurity Risks in Connected Medical Devices
TRIMEDX STARTED OUT 19 YEARS AGO as the biomedical engineering department at St. Vincent Hospital in Indianapolis, Indiana. Since then, the organization has grown to manage 1.1 million clinical assets at 1,800 provider locations across the U.S., supported by a team of 1,100 hospitalbased technicians. As clinical technology has evolved, the company has evolved in tandem, now working with clients to manage the complex cybersecurity risks that come with a new generation of connected devices. Planning and remediation around the risks that come with connected medical equipment can be heavily compromised if a provider lacks a clear understanding of what assets they own and what software is running on them, so cybersecurity has become a major area of focus for the company. David Klumpe, TRIMEDX’s president of clinical asset management, discussed this topic with three healthcare executives at the Modern Healthcare Leadership Symposium on October 12, 2018.
Executive participants in the Modern Healthcare-TRIMEDX focus group did not receive any compensation for their participation, and their involvement does not constitute an endorsement, recommendation, or favoring of any organization involved, including Modern Healthcare, Modern Healthcare Custom Media or TRIMEDX.
David Klumpe: Today, we're going to focus on the vulnerability of your clinical equipment. More and more of the clinical assets that you own are connectable or already connected to your network, and that raises several areas of concern in terms of how providers should be managing risk.
Within our client base, most of the connectable devices are in fact connected — about 154,000 clinical assets. This accounts for a wide range of devices, from imaging to physiologic monitors to mobile equipment like IV and patient-controlled analgesia pumps. More or less, it's any device that is capturing patient data and therefore needs to get integrated into your EMR.
Today, although FDA believes that cybersecurity risk is a patient safety issue, most cybersecurity vulnerabilities that are identified in medical devices do not meet the level of risk that would require Original Equipment Manufacturers (OEMs) to take mandatory corrective action such as through the recall process. Because of this, when a cybersecurity vulnerability is identified and the risk does not meet the level requiring action, it is left to the discretion of the OEM to choose if and/or how to address the issue. The software running on your assets is managed by the OEM. If there is a vulnerability in the software identified, it's really the OEM who has legal responsibility for finding a solution to that problem, known as a patch.
Your clinical equipment is different than consumer “Internet of Things” connected devices — they are regulated medical devices. The issue with your medical device is, until the manufacturer of that equipment has validated that a patch is safe to put on their device, we can't be sure that the device will function correctly with the patch applied. Our work with our customers is such that we will not apply a patch until it has been validated by the manufacturer of the device, to ensure patient safety.
The problem with that is the OEMs take a very long time to create patches, and that can result in gaps in protection. Over a year ago on Memorial Day, the WannaCry Virus hit several hospitals, including several of our clients. There are assets our clients have in use today for which patches still haven't been validated by OEMs, even though the patch for the virus was released for Windows devices a year ago in May. That's the situation that our industry is in together.
That takes me to our first question: Have any of you had a cyber-related incident in the last year, or so? If so, what was the nature of the attack, and did it involve any of your connected assets, to your knowledge?
DENYSE BALES-CHUBB: The WannaCry Virus affected some of our facilities and equipment within our facilities.
As you alluded to, it was because the manufacturers had not applied the patches. It did affect some of our equipment, so we shifted to other mechanisms to avoid any kind of patient security issues, or safety issues. It took them months to work through all of that. I think that the worst part was that it took so many hours of our IT team's time and pulled them off other key engagements.
DAN COXALL: There are thousands of threats a day across our system. I can’t put my finger on how much of that affects medical equipment. We have nearly a thousand infusion pumps, and as we look to update those devices, we want to go to a smart technology so that we can push drug libraries out to them wirelessly. I think that we're looking at the vulnerability of doing that as well. We have also looked at connected beds, connected cribs and other devices like that. We want to be smart and intelligent, getting data in real time, helping us to be better at delivering care. At the same time, that creates some vulnerability and we need to manage that risk.
KEVIN UNGER: We are similar. I don't know of a specific incident, but we have had some unscheduled downtime because of preventive work being done behind the scenes to prevent cybersecurity attacks. We have a cybersecurity committee that focuses their energy on this, and, as Dan said, we also have thousands of phishing attempts a day as hackers try to get into our networks.
DK: What are some of the challenges that you're hearing from your team about putting that strategy together?
KU: I certainly hear about the challenge of the sheer number of phishing attempts that are always occurring. They are getting more and more creative and we all fall prey and can be vulnerable to making mistakes. Something as simple as clicking on the wrong thing or opening the wrong email creates those threats. We look at it from a system perspective, in a centralized manner. We've hired an outside
vendor that tests the system and is always looking for vulnerabilities, and we regularly meet with them to discuss how to prioritize and act on their findings.
DC: The Target hack that occurred ten years ago was a challenge for our building automation systems. I think we're vulnerable with anything that touches our internet. We do have a team of analysts that are constantly working on it, but it also involves educating our entire staff so that if they get an email or see something that looks suspicious, they know they should bring it to someone's attention so that we can address it. We have 14,000 medical equipment assets, maybe about 20% of which are connected. How does the team keep up with that? It's a challenge.
DBC: Adventist Health System manages 40 hospitals across nine states, and we have a team that vets everything at the corporate level. Sometimes we get frustrated and want IT to move faster and it just can't because they must go through such in-depth processes now to make sure we don't have a possible cybersecurity risk. We all understand the need to thoroughly vet these assets.
DK: What role does clinical engineering play in your organization's cybersecurity strategy? How has your organization explored the organizational reporting relationship of clinical engineering as it relates to cybersecurity?
DC: Clinical engineering partners very closely with our IT department, as well as our Clinical Equipment Steering Committee, to understand what equipment we're bringing in. From a strategic perspective, we're looking at what the next five years hold for us when it comes to buying and acquiring new medical equipment, working with the manufacturers to make the selection that we want to bring in and then working with IT to do a risk assessment. We consider, if this device is connected, what are the vulnerabilities that we're creating and how do we protect ourselves from that?
DBC: We're very similar. We work on a committee level and anything that comes out on the floor has been vetted. Usually it's a corporate level first, and then it is implemented on-site. They work in conjunction.
DK: Holding OEMs accountable for cybersecurity is an industry challenge. How do you think we need to address it? What kind of accountability or industrywide standards need to be called for?
KU: It sounds like the rate at which fixes come to the market needs to be regulated in the industry so that OEMs are held accountable.
DBC: I think that we need to do a better job of holding our vendors accountable. If a patch comes out, there should be a required timeframe for them to get it implemented. I also think there should be disclosure language so that if a company knows something, they must let us know about a possible threat so that we can determine what we need to do to keep our patients safe and our data safe. I think that's key. One of our biggest challenges is communicating with outside physicians, many of whom are not sophisticated in terms of technology. It's a challenge to make sure that when we interact with antiquated technology, we guard against risk for possible attacks and breaches in our security. We of course don't want to be too closed off, so we need to consider how we can safely
“We often look up to the most-connected organizations. I'm not sure that that's always the greatest thing. It’s not such a good thing to be recognized for being connected if you're not prepared for the cybersecurity risk. ”
make sure that we're getting information to everybody that needs it.
DC: We often look up to the most-connected organizations. I'm not sure that that's always the greatest thing. It's not such a good thing to be recognized for being connected if you're not prepared for the cybersecurity risk. Strategically, I think we have to look to some of the OEMs that are leaders in IT and make sure we have a team that knows how to respond and react, in real time. We want to be sure that when something does occur, we know how to stop it, and we know how to work on recovery, communication and awareness about it.
DK: You can't assess or address vulnerability if you don't know what your inventory looks like. As basic and foundational as that is, our experience is that many providers struggle immensely to keep track of what assets they own, let alone keeping track of what is connected and what software is running on those devices. Today, we are actively taking responsibility for working with our IT partners within our customer facilities to build not only the physical inventory, but also a “digital persona” of device settings and vulnerabilities as well.
Clearly, there's an awareness issue. How do you think the industry should elevate the issue of device cybersecurity to the C-suite level so that executives understand their vulnerabilities and risk?
KU: When you're talking cybersecurity, the biomedical engineering side didn't pop into my head as one of the key stakeholders. That's something I hadn't really connected the dots on, and I imagine I'm not alone in that among other executives. We must get ahead of it, though. Somebody hacks something, hurts somebody, and somebody's going to be an example.
DC: For me, we tie it to patient safety and target zero. If we really are going to prevent doing harm to our patients, then we need to start with cybersecurity, because it is the patients' information that we are retaining.
DBC: I only know enough about IT to be truly dangerous. But, in addition to the device inventory, it might be helpful to have an inventory of all the different software and possibly patches that have been applied to them, like a running tab. I'd also like to do some education for our employees, as I don't think the typical front line employee really thinks about this very much, including the vulnerabilities that even they might be able to control. I think that would be very helpful.
“I think that we need to do a better job of holding our vendors accountable. If a patch comes out, there should be a required time frame for them to get it implemented. ”