they do PCs and servers. “So we started talking to the clinical engineering team about how to get better visibility into the number and status of medical devices,” Lopez said.

Beckie Lopez

In working with the device vendors, the Edward-Elmhurst team found some weren’t very advanced in terms of cyber- security, so fi guring out where they were in

term of patch management was an impor- tant fi rst step, and the health system sought help from an outside vendor. “We started talking with Trimedx about how they could help us manage this better and get our IT team the skill set to manage this better.” Trimedx helped Edward-Elmhurst complete a comprehensive asset inventory. They found they had 22,924 total devices and 4,272 connected devices. “We compre- hensively tracked all physical connectable devices on the network,” Lopez said. “They are accessible via Trimedx’s clinical asset informatics platform. We had 50 different ambulatory locations, and there are lots of assets in these ambulatory locations. That was an eye-opener for me.” Trimedx and Edward-Elmhurst now work together on patch management to reduce risk. Onsite Trimedx cyber special- ists fi lled the gap of clinical engineering and cybersecurity expertise that they didn’t have in-house. They communicate with the vendors and serve as a critical link in a comprehensive security strategy. “They are an extension of our team and meet with us weekly,” Lopez said. “They are integrated

with our IT and clinical engineering team and meet with the CISO three times per week.”

The change also has sped up the process of doing initial risk assessments on new devices being deployed by streamlining the assessments by IT and clinical engineering and getting the piece of equipment out to operations faster.

Now Lopez and the CISO have a dash-

board they can show to the audit and compliance committee and the executive council. It shows the progress they have made on an 18-month journey to having a much better handle on device inventory, patch management and compensating con- trols. “We have made a lot of progress in a short period of time,” she said. “I don’t worry about this like I used to. It has made life better for our organization.” “The greatest win of all was that we

used to have biomedical cybersecurity as one of our top 15 things on our enterprise risk list,” she said. “This was a daunting challenge. But as of September it was removed from that list. That is a good story to tell.” HI

Taking a New Approach to Cybersecurity Risk Assessments

Medical device security is just one as- pect of a holistic cybersecurity program. Smaller community hospitals often struggle to fi nd the fi nancial and staffi ng resources to do an adequate job. But it is possible to bolster your defenses. In 2019, when Patrick Neece was named vice president and CIO at Lake Regional Health System, a 116-bed hospital in cen- tral Missouri, he decided the organization needed to take a different approach to cy- bersecurity risk assessments. In his presentation to the CHIME Fall

Forum, Neece noted that traditional secu- rity information and event management (SIEM) software solutions can be com- plicated and costly for small communi- ty-based hospitals to deploy. The lack of integration and usability can drive a high cost of ownership, he said, and it can be diffi cult to translate the results into some- thing that non-technical personnel can use.

In addition, he said, working with ven-

dors that are not specifi c to the healthcare sector can create a laborious contracting process and lead to key needs being missed and delayed implementations. “In addition, it may take months to im-

plement a solution and achieve results,” Neece said. After an evaluation process, Lake Regional chose to work with Sensa- to, which has a holistic cybersecurity pro- gram, including real-time 24x7 network intrusion detection. One of the fi rst steps of creating a cy-

bersecurity program is risk assessment. But a challenge CIOs and CISOs face is that it can be diffi cult to make measurable progress on cybersecurity preparedness and demonstrate it to an executive team or board in non-technical terms. “The re- sults of a traditional risk assessment are usually complicated, even overwhelm- ing,” Neece said, “reducing the value of the assessment.” To develop a strategic roadmap, Lake

Regional embraced the U.S. Department of Energy’s Cybersecurity Capability Ma- turity Model (C2M2), a common set of industry practices grouped in 10 domains and arranged by maturity level. Based on your current status, you get a score as- signed for each domain compared with a desired score, based on risk tolerance. A dashboard view creates a fairly sim-

ple way to present their status to the exec- utive team. “You can establish a baseline

and then repeat the assessment to easily see your progress,” Neece explained, and tying fi nancials to the tasks allows you to calculate return on investment. “That way you can see where your gaps are and see where you are improving. The dashboard allows everyone to quickly understand where you stand without having any background in technology or cybersecu- rity. The vendor, Sensato, analyzed Lake Regional’s results and provided them with a prioritization specifi c to the insti- tution. Together they built a three-year, high-level roadmap based on C2M2 fi nd- ings.

Neece said once the information was presented in this format, board mem- bers were intrigued. “They felt it was in- sightful,” he said. “Two board members stopped me after a meeting and said they wanted to make sure cybersecurity goes up the list on the agenda in future meet- ings.”

Neece’s advice to community hospital IT leaders is to make risk assessments like C2M2 the foundation for your cy- bersecurity priorities and strategy and develop a baseline that you can then measure against.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32