becoming apparent that while medical devices tend to be one of the fi rst ripples in the water, most organizations are seeking to handle non-medical devices as well.”

No longer a back-burner issue The good news is that many health systems are making concerted efforts to bolster their medical device security programs. At the recent CHIME Fall Forum, Rick Lang, vice president and CIO of 232-bed Doylestown Hospital in Pennsylvania, described how he and his team deployed a comprehensive medical device cybersecurity strategy to create policies, procedures and training. Doylestown is creating a cross-functional cybersecurity program backed by a robust set of cybersecurity technologies.

Rick Lang

Lang cited the 2018 KLAS report that found CIOs are not confi dent in their medical device security strategy. “This is a weakness for most health systems and we are working to shore that up,” he said. “It is a clear and present need. Hackers and malware don’t discriminate. If it has a CPU, it is a potential target.” One challenge has been that CIOs are not traditionally used to dealing with medical devices as part of their oversight. It has been the responsibility of biomedi- cal engineering. “It has been a back-burner issue, but no longer due to the sweeping impact an attack could have,” Lang said. For instance, if cardiovascular services were comprised for any period of time, it could have a huge impact on patient care and fi nances, he said. When determining how they would

address the issue, Doylestown realized they didn’t just want to buy software; they needed help tying together compliance, detection and response.

In terms of compliance, they needed to develop policies, best practices and gov- ernance specifi c to medical device cyber- security; they wanted the ability to detect attacks against medical devices 24x7 and they needed help with identifying potential risks with medical devices; and in the event

of an attack, they wanted to be sure that they could respond effectively. They chose to work with a vendor, Sensato, that had a single solution to help with compliance best practices and policies and detection through a robust software platform. The company is responsible for 24x7 monitoring by a security opera- tions center and medical device incident response program. Now Doylestown’s medical devices are “fi ngerprinted” and catalogued into a comprehensive asset management system. “The fi rst thing we did was revise our business associate agreement to make sure purchasing spelled out our policies and companies complied with them,” Lang explained. “For instance, if a company gets breached, they have to notify us within 24 hours, and they must respond to any request we give them for information about that breach. We also require that they do a cyber risk assess- ment and vulnerability testing annually and that we get access to the results. We haven’t had anybody not sign it yet.” In terms of asset management, Doylestown had to identify all medical device resources, then prioritize scan- ning for vulnerabilities based on risk thresholds. “We prioritized in order of impact on patients and operations,” Lang said. “When we get the scan results back, our biomedical team has to work with the vendor and IT on remediation and patching. We set up fi rewalling or quar- antining of end-of-life (EOL) devices or a patch, and/or deploy other mitigating technologies to help us get through that defi ciency.” Staff engagement is crucial, Lang said. Sensato created a 30-minute class for staff members about why this is important and why they need to be involved. They try to develop real examples involving actual devices Doylestown uses, such as smart pumps or telemetry. “We can go over scenarios on how to detect an anomaly. For example, if every smart pump on the fl oor is not working, that should set off an alarm,” he said. Incident response to a medical device cyberattack is a new process, Lang said. “It requires strong coor- dination with those disciplines outside of IT. Nurses have to understand the patient safety ramifi cations. This is an evolving process and will take some effort before we have a full incident response program for medical devices.”

Lang’s advice to other CIOs is to seg- ment their local area networks and get the medical devices off the hospital LAN. “If one-third of those devices are EOL or ‘unpatchable,’ you don’t want them on your hospital LAN. If your network is segmented, an attack on a medical device is effectively localized and you are able

to shut down or ‘park’ those devices.” “We now have a solid asset management system for medical devices,” Lang said. “We have changed the way we do things with medical devices, but we still have a long way to go. We have good policies in place now, and it is time to execute. We are on the right track.”

Gaining visibility There may be hundreds of medical devices on a hospital network that IT executives aren’t aware of, said Kelly Rozumalski, secure connected health director at Booz Allen Hamilton, so setting up an asset management structure to gain visibility into all the medical devices on your net- work is an important fi rst step. “Adding a layer of complexity is the addition of remote patient monitoring and sending these medical devices home with patients,” she said.

Rozumalski added that hospital systems have to build closer ties to medical device manufacturers to make sure they are build- ing security in from the beginning. “The fact is that a lot of the devices in use are legacy devices that have been there for years. The issue is that a lot of them can- not be patched, and unfortunately, we are not going to be able to change out all these legacy devices anytime soon. That is not realistic,” she said. “So it is important to identify compensating controls so that we can isolate and protect them. It all starts with visibility into your network.” The U.S. Food & Drug Administration

and the Department of Homeland Security have been working with stakeholders to create an environment of shared respon- sibility when it comes to coordinated vul- nerability disclosures for identifying and addressing cybersecurity risks, she added. “If there is a vulnerability on one medi- cal device, there is no reason why every other manufacturer should not be aware of that vulnerability so they can mitigate it in their systems,” she said. “Coordination and information sharing is crucial.”

Staying on top of patch manage- ment at Edward-Elmhurst Also addressing the CHIME Fall Forum, Beckie Lopez, associate vice president of IT at three-hospital Edward-Elmhurst Health in Illinois, spoke about the health system’s fairly rapid progress on medical device cybersecurity. She said the clinical engineering team

responsible for medical devices has always been under the IT umbrella. Yet 18 months ago, as she and the health system CISO began learning more about poten- tial vulnerabilities of medical devices on the network, they realized the IT team did not have the skills or knowledge to manage security on these devices as


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32