A topic getting a significant amount of attention at the recent HIMSS 2018 Conference and Exhibition was that of medical device security. Addressing that topic was a dinner and panel discussion hosted by CloudPost Networks, Huntzinger, and Meditology Services. Approximately 40 CIOs, CTOs, CISOs, and others, listened to Wes Wright, CTO of Sutter Health, and Clint Perkinson, Director of Information Technology at Beebe Healthcare, provide their insights on medical device security. The expert panelists, as well as the attendees, expressed concern that medical devices present a significant cybersecurity challenge to healthcare organizations.
After an introductory welcome by CloudPost CEO, Gnanaprakasam Pandian, Huntzinger EVP and Partner, William Reed, led a Q&A panel discussion with active audience participation. The following highlights key points from the discussion:
- How would you rate the level of cyber-risk related to medical devices? — The consensus was the risk level was high (8 out of 10), with organizations at different levels of mitigation.
- What medical device is the most vulnerable? — The panelists, and most of the attendees, felt infusion pumps present the most significant current risk due to their ability to rapidly impact patient care. One attendee proffered an opinion that environmental systems, especially elevator controls, present another significant vulnerability. An additional comment was made to keep in touch with facilities departments concerning security cameras which are connected to networks.
- How is that risk expected to change going forward? — It was generally felt that the risk would continue to grow as healthcare continues to move outside the walls of organizations and into patients’ homes. This exposure will be further exacerbated by the expanded use of patient wearables wirelessly tethered to organizations’ networks.
- To what degree do healthcare organizations understand the risk? — The prevailing feeling was that most organizations have a heightened sensitivity and concern regarding cybersecurity in general, but perhaps not specifically relative to the exposure that medical devices create. Concern was expressed that while budgetary support was being readily provided, board members and executives falsely expect comprehensive mitigation to be immediately in place upon receipt of the additional resources.
- What effect do/can medical device vendors have on the risk? — Obviously, medical device vendors do, and could, have a tremendous impact on medical device security. One of the challenges is the variety of devices and manufacturers that organizations are forced to contend with makes it difficult to employ a consistently comprehensive approach. Further, the frequently outsourced service and maintenance of medical devices further compounds these issues. It was also noted that even in segmented networks, if access control lists (ACLs) aren’t in place to only allow the communications required to transit the network, there is still a risk. Testing and validation requires the vendor’s interaction to confirm those communications channels.
- To what degree does organizational placement of biomedical (e.g., within IT or not) impact the risk and mitigation? — This question generated some of the most polarized opinions. Extremes spanned from the best approach being biomedical, due to the digital and network dependency of the devices, should be part of, and managed by, IT, to a contrary view that, given the clinical orientation of medical devices, they should be managed within a clinical domain such as the Chief Nursing Officer. Others felt that organizational placement was less important than effective cross-communication concerning medical device issues occurring between clinical and IT. It was presented by the panelists, and agreed to by the attendees, that an effective governance process that forces transparency around medical equipment purchases will help mitigate the risk of onboarding new equipment without the knowledge of the organizational CIOs and CISOs. As one panelist commented: “It doesn’t matter, I still have a network to protect.” There was no compelling support voiced for medical devices being managed by facilities functions as it historically has been in many organizations.
- What is the one significant action organizations should take to enhance medical device security? — Create and maintain an accurate inventory of all the medical devices interacting with the network, assess the risks associated (device generic access, unsupported operating systems, patching strategy, etc.) and then work with the biomedical team and vendor on a mitigation plan
- What is the one significant action organizations shouldn’t take relative to medical device security? — Do not wait to initiate some level of action, or for a comprehensive solution. Incremental, partial improvements are better than no action at all. The initial assessment may present an overwhelming effort, however the risks can be categorized and prioritized to allow mitigation at an achievable pace in partnership with the vendor, biomed, clinical, and IT.
For additional information about CloudPost Networks access www.cloudpostnetworks.com
For additional information about Meditology services access www.meditologyservices.com