Beefing Up Medical Device Cybersecurity Health systems focus on asset tracking, risk assessment, patch management

By David Raths M

edical devices connected to hospi- tal networks haven’t yet been the source of high-profile catastrophic

cyberattacks in the United States. But the vulnerability to such attacks is leading to many sleepless nights for health system chief information officers and chief infor- mation security officers.

When Salt Lake City-based KLAS

Research and CHIME (the College of Healthcare Information Management Executives) partnered to interview health- care IT executives in 2018 about medical device security, only 39 percent of respon- dents said they were very confident or con- fident that their current strategy protects patient safety and prevents disruptions in care.

The survey found that 18 percent of pro- vider organizations had medical devices impacted by malware or ransomware in the last 18 months. The CIOs and CISOs surveyed estimated that the average num- ber of connected medical devices on their network was just under 10,000 and that one-third of them were “unpatchable.” In addition, 76 percent reported that

their resources are insufficient and too strained to adequately secure medical devices. Almost half cited poor asset and inventory visibility as a top organiza- tional factor, followed by ambiguous security ownership and responsibility. KLAS recently published a Healthcare Internet of Things (iOT) Security report looking at health system priorities when working with vendors on medical device security. “Most hospital organizations have thousands of medical devices,” said Joe Van De Graaff, KLAS’ vice president for digital health and security. “The number of entry points is almost infinite. The solutions out there today will help you gain visibility.” The primary pain points are uncer- tainty and fear, he said. “It is one thing to have a concern about security, but it is a next-level concern to have fear about a medical device attached to a patient being hacked. It becomes very personal.” “For many health systems, deploying

these solutions is a ‘turn on the lights’ moment, because they haven’t had this kind of visibility before,” said Van De Graaff. There is this defined need, and


now provider organizations are deciding which vendor partner they should go with and whether they should outsource it as a service with the vendor actually managing the devices.” Another emerging purchasing driver is tracking device utilization, he said. As CISOs, CIOs and biomedical direc- tors start using these asset management solutions, they realize they cannot just identify what is on the network and at risk, they can also better utilize these medical devices so perhaps they don’t have to purchase additional equipment. The stakeholder driving these efforts

could be the CISO, biomedical engineer- ing or the information technology depart- ment. “It is becoming more common that the different stakeholders collaborate with each other,” Van De Graaff said. In addition, most are looking beyond just the medical devices to all types of iOT devices. “It is becoming a shared initia- tive,” he added. “They are saying, ‘If we need to track medical devices, we need to do the same for our HVAC system and other devices on the network.’ It is

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32