Man­ag­ing Cy­ber­se­cu­rity Risks in Con­nected Med­i­cal De­vices

Modern Healthcare - - News -

TRIMEDX STARTED OUT 19 YEARS AGO as the bio­med­i­cal en­gi­neer­ing depart­ment at St. Vin­cent Hos­pi­tal in In­di­anapo­lis, In­di­ana. Since then, the or­ga­ni­za­tion has grown to man­age 1.1 mil­lion clin­i­cal as­sets at 1,800 provider lo­ca­tions across the U.S., sup­ported by a team of 1,100 hos­pi­tal­based tech­ni­cians. As clin­i­cal tech­nol­ogy has evolved, the com­pany has evolved in tan­dem, now work­ing with clients to man­age the com­plex cy­ber­se­cu­rity risks that come with a new gen­er­a­tion of con­nected de­vices. Plan­ning and remediation around the risks that come with con­nected med­i­cal equip­ment can be heav­ily com­pro­mised if a provider lacks a clear un­der­stand­ing of what as­sets they own and what soft­ware is run­ning on them, so cy­ber­se­cu­rity has be­come a ma­jor area of fo­cus for the com­pany. David Klumpe, TRIMEDX’s pres­i­dent of clin­i­cal as­set man­age­ment, dis­cussed this topic with three health­care ex­ec­u­tives at the Mod­ern Health­care Lead­er­ship Sym­po­sium on Oc­to­ber 12, 2018.

Ex­ec­u­tive par­tic­i­pants in the Mod­ern Health­care-TRIMEDX fo­cus group did not re­ceive any com­pen­sa­tion for their par­tic­i­pa­tion, and their in­volve­ment does not con­sti­tute an en­dorse­ment, rec­om­men­da­tion, or fa­vor­ing of any or­ga­ni­za­tion in­volved, in­clud­ing Mod­ern Health­care, Mod­ern Health­care Cus­tom Me­dia or TRIMEDX.

David Klumpe: To­day, we're go­ing to fo­cus on the vul­ner­a­bil­ity of your clin­i­cal equip­ment. More and more of the clin­i­cal as­sets that you own are con­nectable or al­ready con­nected to your net­work, and that raises sev­eral ar­eas of con­cern in terms of how providers should be man­ag­ing risk.

Within our client base, most of the con­nectable de­vices are in fact con­nected — about 154,000 clin­i­cal as­sets. This ac­counts for a wide range of de­vices, from imag­ing to phys­i­o­logic mon­i­tors to mo­bile equip­ment like IV and pa­tient-con­trolled anal­ge­sia pumps. More or less, it's any de­vice that is cap­tur­ing pa­tient data and there­fore needs to get in­te­grated into your EMR.

To­day, although FDA be­lieves that cy­ber­se­cu­rity risk is a pa­tient safety is­sue, most cy­ber­se­cu­rity vul­ner­a­bil­i­ties that are iden­ti­fied in med­i­cal de­vices do not meet the level of risk that would re­quire Orig­i­nal Equip­ment Man­u­fac­tur­ers (OEMs) to take manda­tory cor­rec­tive ac­tion such as through the re­call process. Be­cause of this, when a cy­ber­se­cu­rity vul­ner­a­bil­ity is iden­ti­fied and the risk does not meet the level re­quir­ing ac­tion, it is left to the dis­cre­tion of the OEM to choose if and/or how to ad­dress the is­sue. The soft­ware run­ning on your as­sets is man­aged by the OEM. If there is a vul­ner­a­bil­ity in the soft­ware iden­ti­fied, it's re­ally the OEM who has le­gal re­spon­si­bil­ity for find­ing a so­lu­tion to that prob­lem, known as a patch.

Your clin­i­cal equip­ment is dif­fer­ent than con­sumer “In­ter­net of Things” con­nected de­vices — they are reg­u­lated med­i­cal de­vices. The is­sue with your med­i­cal de­vice is, un­til the man­u­fac­turer of that equip­ment has val­i­dated that a patch is safe to put on their de­vice, we can't be sure that the de­vice will func­tion cor­rectly with the patch ap­plied. Our work with our cus­tomers is such that we will not ap­ply a patch un­til it has been val­i­dated by the man­u­fac­turer of the de­vice, to en­sure pa­tient safety.

The prob­lem with that is the OEMs take a very long time to cre­ate patches, and that can re­sult in gaps in pro­tec­tion. Over a year ago on Me­mo­rial Day, the Wan­naCry Virus hit sev­eral hos­pi­tals, in­clud­ing sev­eral of our clients. There are as­sets our clients have in use to­day for which patches still haven't been val­i­dated by OEMs, even though the patch for the virus was re­leased for Win­dows de­vices a year ago in May. That's the sit­u­a­tion that our in­dus­try is in to­gether.

That takes me to our first ques­tion: Have any of you had a cy­ber-re­lated in­ci­dent in the last year, or so? If so, what was the na­ture of the at­tack, and did it in­volve any of your con­nected as­sets, to your knowl­edge?

DENYSE BALES-CHUBB: The Wan­naCry Virus af­fected some of our fa­cil­i­ties and equip­ment within our fa­cil­i­ties.

As you al­luded to, it was be­cause the man­u­fac­tur­ers had not ap­plied the patches. It did af­fect some of our equip­ment, so we shifted to other mech­a­nisms to avoid any kind of pa­tient se­cu­rity is­sues, or safety is­sues. It took them months to work through all of that. I think that the worst part was that it took so many hours of our IT team's time and pulled them off other key en­gage­ments.

DAN COXALL: There are thou­sands of threats a day across our sys­tem. I can’t put my fin­ger on how much of that af­fects med­i­cal equip­ment. We have nearly a thou­sand in­fu­sion pumps, and as we look to up­date those de­vices, we want to go to a smart tech­nol­ogy so that we can push drug li­braries out to them wire­lessly. I think that we're look­ing at the vul­ner­a­bil­ity of do­ing that as well. We have also looked at con­nected beds, con­nected cribs and other de­vices like that. We want to be smart and in­tel­li­gent, get­ting data in real time, help­ing us to be bet­ter at de­liv­er­ing care. At the same time, that cre­ates some vul­ner­a­bil­ity and we need to man­age that risk.

KEVIN UNGER: We are sim­i­lar. I don't know of a spe­cific in­ci­dent, but we have had some un­sched­uled down­time be­cause of pre­ven­tive work be­ing done be­hind the scenes to pre­vent cy­ber­se­cu­rity at­tacks. We have a cy­ber­se­cu­rity com­mit­tee that fo­cuses their en­ergy on this, and, as Dan said, we also have thou­sands of phish­ing at­tempts a day as hack­ers try to get into our net­works.

DK: What are some of the chal­lenges that you're hear­ing from your team about putting that strat­egy to­gether?

KU: I cer­tainly hear about the chal­lenge of the sheer num­ber of phish­ing at­tempts that are al­ways oc­cur­ring. They are get­ting more and more cre­ative and we all fall prey and can be vul­ner­a­ble to mak­ing mis­takes. Some­thing as sim­ple as click­ing on the wrong thing or open­ing the wrong email cre­ates those threats. We look at it from a sys­tem per­spec­tive, in a cen­tral­ized man­ner. We've hired an out­side

ven­dor that tests the sys­tem and is al­ways look­ing for vul­ner­a­bil­i­ties, and we reg­u­larly meet with them to dis­cuss how to pri­or­i­tize and act on their find­ings.

DC: The Tar­get hack that oc­curred ten years ago was a chal­lenge for our build­ing au­to­ma­tion sys­tems. I think we're vul­ner­a­ble with any­thing that touches our in­ter­net. We do have a team of an­a­lysts that are con­stantly work­ing on it, but it also in­volves ed­u­cat­ing our en­tire staff so that if they get an email or see some­thing that looks sus­pi­cious, they know they should bring it to some­one's at­ten­tion so that we can ad­dress it. We have 14,000 med­i­cal equip­ment as­sets, maybe about 20% of which are con­nected. How does the team keep up with that? It's a chal­lenge.

DBC: Ad­ven­tist Health Sys­tem man­ages 40 hos­pi­tals across nine states, and we have a team that vets ev­ery­thing at the cor­po­rate level. Some­times we get frus­trated and want IT to move faster and it just can't be­cause they must go through such in-depth pro­cesses now to make sure we don't have a pos­si­ble cy­ber­se­cu­rity risk. We all un­der­stand the need to thor­oughly vet these as­sets.

DK: What role does clin­i­cal en­gi­neer­ing play in your or­ga­ni­za­tion's cy­ber­se­cu­rity strat­egy? How has your or­ga­ni­za­tion ex­plored the or­ga­ni­za­tional re­port­ing re­la­tion­ship of clin­i­cal en­gi­neer­ing as it re­lates to cy­ber­se­cu­rity?

DC: Clin­i­cal en­gi­neer­ing part­ners very closely with our IT depart­ment, as well as our Clin­i­cal Equip­ment Steer­ing Com­mit­tee, to un­der­stand what equip­ment we're bring­ing in. From a strate­gic per­spec­tive, we're look­ing at what the next five years hold for us when it comes to buy­ing and ac­quir­ing new med­i­cal equip­ment, work­ing with the man­u­fac­tur­ers to make the se­lec­tion that we want to bring in and then work­ing with IT to do a risk as­sess­ment. We con­sider, if this de­vice is con­nected, what are the vul­ner­a­bil­i­ties that we're cre­at­ing and how do we pro­tect our­selves from that?

DBC: We're very sim­i­lar. We work on a com­mit­tee level and any­thing that comes out on the floor has been vet­ted. Usu­ally it's a cor­po­rate level first, and then it is im­ple­mented on-site. They work in con­junc­tion.

DK: Hold­ing OEMs ac­count­able for cy­ber­se­cu­rity is an in­dus­try chal­lenge. How do you think we need to ad­dress it? What kind of ac­count­abil­ity or in­dus­try­wide stan­dards need to be called for?

KU: It sounds like the rate at which fixes come to the mar­ket needs to be reg­u­lated in the in­dus­try so that OEMs are held ac­count­able.

DBC: I think that we need to do a bet­ter job of hold­ing our ven­dors ac­count­able. If a patch comes out, there should be a re­quired time­frame for them to get it im­ple­mented. I also think there should be dis­clo­sure lan­guage so that if a com­pany knows some­thing, they must let us know about a pos­si­ble threat so that we can de­ter­mine what we need to do to keep our pa­tients safe and our data safe. I think that's key. One of our big­gest chal­lenges is com­mu­ni­cat­ing with out­side physi­cians, many of whom are not so­phis­ti­cated in terms of tech­nol­ogy. It's a chal­lenge to make sure that when we in­ter­act with an­ti­quated tech­nol­ogy, we guard against risk for pos­si­ble at­tacks and breaches in our se­cu­rity. We of course don't want to be too closed off, so we need to con­sider how we can safely

“We of­ten look up to the most-con­nected or­ga­ni­za­tions. I'm not sure that that's al­ways the great­est thing. It’s not such a good thing to be rec­og­nized for be­ing con­nected if you're not pre­pared for the cy­ber­se­cu­rity risk. ”

make sure that we're get­ting in­for­ma­tion to ev­ery­body that needs it.

DC: We of­ten look up to the most-con­nected or­ga­ni­za­tions. I'm not sure that that's al­ways the great­est thing. It's not such a good thing to be rec­og­nized for be­ing con­nected if you're not pre­pared for the cy­ber­se­cu­rity risk. Strate­gi­cally, I think we have to look to some of the OEMs that are lead­ers in IT and make sure we have a team that knows how to re­spond and re­act, in real time. We want to be sure that when some­thing does oc­cur, we know how to stop it, and we know how to work on re­cov­ery, com­mu­ni­ca­tion and aware­ness about it.

DK: You can't as­sess or ad­dress vul­ner­a­bil­ity if you don't know what your in­ven­tory looks like. As ba­sic and foun­da­tional as that is, our ex­pe­ri­ence is that many providers strug­gle im­mensely to keep track of what as­sets they own, let alone keep­ing track of what is con­nected and what soft­ware is run­ning on those de­vices. To­day, we are ac­tively tak­ing re­spon­si­bil­ity for work­ing with our IT part­ners within our cus­tomer fa­cil­i­ties to build not only the phys­i­cal in­ven­tory, but also a “dig­i­tal per­sona” of de­vice set­tings and vul­ner­a­bil­i­ties as well.

Clearly, there's an aware­ness is­sue. How do you think the in­dus­try should el­e­vate the is­sue of de­vice cy­ber­se­cu­rity to the C-suite level so that ex­ec­u­tives un­der­stand their vul­ner­a­bil­i­ties and risk?

KU: When you're talk­ing cy­ber­se­cu­rity, the bio­med­i­cal en­gi­neer­ing side didn't pop into my head as one of the key stake­hold­ers. That's some­thing I hadn't re­ally con­nected the dots on, and I imag­ine I'm not alone in that among other ex­ec­u­tives. We must get ahead of it, though. Some­body hacks some­thing, hurts some­body, and some­body's go­ing to be an ex­am­ple.

DC: For me, we tie it to pa­tient safety and tar­get zero. If we re­ally are go­ing to pre­vent do­ing harm to our pa­tients, then we need to start with cy­ber­se­cu­rity, be­cause it is the pa­tients' in­for­ma­tion that we are re­tain­ing.

DBC: I only know enough about IT to be truly dan­ger­ous. But, in ad­di­tion to the de­vice in­ven­tory, it might be help­ful to have an in­ven­tory of all the dif­fer­ent soft­ware and pos­si­bly patches that have been ap­plied to them, like a run­ning tab. I'd also like to do some ed­u­ca­tion for our em­ploy­ees, as I don't think the typ­i­cal front line em­ployee re­ally thinks about this very much, in­clud­ing the vul­ner­a­bil­i­ties that even they might be able to con­trol. I think that would be very help­ful.

“I think that we need to do a bet­ter job of hold­ing our ven­dors ac­count­able. If a patch comes out, there should be a re­quired time frame for them to get it im­ple­mented. ”

David Klumpe Pres­i­dent, Clin­i­cal As­set Man­age­ment So­lu­tions, TRIMEDX

Kevin Unger Pres­i­dent and CEO,Poudre Valley Hos­pi­tal/Med­i­cal Cen­ter of the Rock­ies

Dan Coxall VP of Sup­port Ser­vices, Chil­dren's Hos­pi­tal Colorado

Denyse Bales-Chubb Pres­i­dent & CEO, Florida Hos­pi­tal Wes­ley Chapel

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.