search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Clinical engineering


safely and securely, enabling EBME departments to maintain them, while protecting patients and allowing clinicians to provide the best levels of care. “We looked at the types of devices that have


very critical vulnerabilities. We found that many were very close to patients, such as cardiac rhythm management machines, CT machines and IV pumps. IV pumps are complicated devices, but often we do not think of them as such. These really complex devices are treating people, but often they are not secured,” Chad continued. Patients are not being directly attacked, but the primary motive of attackers is money. Cyber criminals will drive revenue in three ways – through ransomware (bringing down the whole system and then demanding money to bring it back up); selling personal data on the black market (which can be used for fraud); or using data for extortion (this approach is relatively new). The latter targets the records of famous people and politicians, for example. “In the US, around 50% of ransoms are paid,


which is why we have a ransomware problem now. If you pay the ransom, they are going to keep going after it. Ransoms have gone from several thousand dollars to half a million dollars or more on average. “We often see that a ransom is somewhere in the $250,000 to $500,000 range, because that is what hospitals can spend without having to go to the board. They can write the cheque, be back online that afternoon, and sometimes not even report it to the FBI or other places,” he commented. He pointed out that patients are not harmed


because they are attacked directly, but because the devices treating them are taken offline – there is a direct impact on patient care. He pointed out that studies show there are increased mortality rates during a cyber-attack, due to system outages. Furthermore, if patients cannot access care, they are diverted to other hospitals, so there is a ripple effect. “The worst-case example we have, here, is


the Ireland HSE ransomware attack in 2021. It hit over forty hospitals, encrypted 80% of their IT systems, and it took five months recovery time. Anyone know how Ireland is doing now? Not good; they have been hit recently with another data breach because one of their third-party suppliers did not secure their environments. We need to start sharing the stories of how they happen, so we can start to collect information.” Chad commented. “In the future, many of you will have a role in securing these devices…We’re finding that the data that helps security teams, can also be very helpful for medical engineering teams, however. If we start to work with the security tools, we can also improve your efficiency.” He explained that this includes:


l Device discovery and location. l Integration and reconciliation of computerised maintenance management systems (CMMS).


l Device utilisation and patch management. l Vendor tracking and preventative maintenance.


“Because these devices are ‘chatty’, we can see when they are operational; we can see when a device is online, when it is offline; identify the optimum time to take it offline and how often it is being used. If you have a thousand IV pumps, for example, and you have to order more, we can help with procurement, by establishing how many more you actually need or where there may be devices that are underutilised that could be shifted around. Alternatively, if you need to perform widespread maintenance, we can give you the exact details of when the device is used, how it is being used, and when it is best to take it offline,” Chad explained. He concluded with some immediate actions that can be taken. Firstly, Trusts that are using CMMS/ e-Quip systems will have access to data that can tell them a great deal about the security vulnerabilities that they are facing. “If you take a ‘data dump’ of a CMMS, you


can tell – based on manufacturer, version number and a couple of other basic pieces of information – the level of risk that your organisation is facing. It is not comprehensive, but it is quick and effective. We can undertake a full analysis of your CMMS in under a week,


no data exposure, no sensitive data, and you can have your first step in securing your environment,” Chad explained. The second action is to address the problem


of unknown devices in your environment. “Is there anyone that is not afraid of unknown


devices in their environment? Right, no hands… If you want to start to discover these devices, this can be done very quickly. The way the technology works is to start listening to the network traffic in a non-intrusive way and you build out an inventory over the course of about a month,” Chad continued. “You get a really good reading in the first


couple of days, based on the ‘chattiness’ of those devices but then, about a month later, all of those devices will have ‘phoned home’ or connected with something, which will tell you what the devices are, where they are, and whether they need patches etc.” Finally, to become more mature in terms of


security, cyber security and IT network teams can start to undertake CMMS reconciliation. “We can take the CMMS system, at your Trust, and start to cross reference the data. We can then tell you that, instead of the eight hundred pumps that you think you have, you actually have nine hundred and thirty-seven and ‘here are the missing ones’. In addition, if you have a procurement effort coming up, where you need to buy new machines, we can tell you that these twelve are underutilised and you can backfill with those instead,” he commented. Ultimately, the take-home message for


delegates, was that healthcare providers must assume they are constantly under attack. There were over 750 successful cyber-attacks reported in the US last year – around two a day. In addition, one out of eight people in the US had their private information stolen last year. “The US is the most targeted, but we are seeing attackers focusing on the UK and other first world nations as well; it is a consistent threat,” Chad concluded. In addition to the conference, EBME Expo


also included a large exhibition of the latest innovations and solutions, from over 130 exhibitors. Over 85% of exhibition space has already been sold for EBME Expo 2024, with many new and exciting companies coming along to showcase their latest technology. Next year’s event will take place on 26-27 June. For further information on the 2024 event, please visit: www.ebme.co.uk


CSJ


Reference 1. Cynerio, 2023 State of NHS Trust IoT Device Security Report, Accessed at: https://www. cynerio.com/nhs-trusts-iot-security-report- cynerio-only


September 2023 I www.clinicalservicesjournal.com 47


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76