By Tom Stanford
Health care providers are adopting a similar mind-set to other data-centric industries when it comes to cyber risk. It is not a matter of if, but when an attack will take place. WannaCry provided a wakeup call for the industry and served as demonstrable evidence of the importance of proactive cybersecurity risk management.
This very public cybersecurity breach made clinical engineering teams reconsider service management best practices as well as tools and technology being employed to reduce their threat profile. The single goal is better protection for the network connected medical device fleet and patient data. The percentage of network connected medical devices is growing at a rapid pace. The American research and advisory firm Gartner predicts that connected medical devices requiring cybersecurity protection will grow 45 percent by 2020. In order for clinical engineering teams to have a fighting chance of improving the security posture of their medical device fleet, careful consideration must be given to the software and tools currently in use and embrace modernization and a technology-agnostic approach.
No single technology is a panacea for cybersecurity risk mitigation. The critical common denominator in good cybersecurity remediation across all industries is end-to-end technology and process interoperability. The more seamlessly integrated modern clinical asset management technologies are with IT security operations tools, the lower likelihood of a major system-wide cybersecurity event.
A lot has been discussed and written on best practices for clinical engineering teams to improve connected medical device security. The focus is generally in traditional areas including audit, device identification, onboarding and monitoring. All of these are essential focus areas. However, contemporary cybersecurity planning also must include audit and evaluation of the supporting technology portfolio. Here are four steps clinical engineer teams need to take to begin their journey toward embracing a modern, technology agnostic approach to medical device cyber risk mitigation.
1) Embrace the cloud: It is the health care provider’s prerogative to keep sensitive data and processes locked up in their legacy on-premise infrastructure. The challenge is that medical device data is inherently mobile, needed by multiple, simultaneous stakeholders and requires automation and analytics that legacy tools and technologies cannot accommodate. The rigid nature of existing solutions and the inability to embrace secure, modern cloud-based technology to store critical medical device data puts the clinical engineering team and the health care providers they support at a critical disadvantage.
2) Conduct a data interoperability litmus test: Clinical engineers are working more collaboratively with their peers in IT and information security, playing the role of “boots on the ground” when it comes to mitigating new medical device cybersecurity risks. A deeper level of collaboration is dependent on ease of data sharing across functions, technologies and tools being used every day in the environment. Do your current tools and technologies have the right APIs? Can data flow freely from one system to another without heavy lifting on the part of clinical engineering or IT? Do you have to do manual data mining? Is working together with your peers hard because the tools and technology are old or don’t work together? These questions are an important part of the litmus test for your organization on your commitment to modernize or maintain the status quo. A technology and tools audit will provide you visibility into the answer to this question.
3) Determine the feasibility of standardizing disparate information to establish a common data model: The clinical engineering, IT and information security partnership relies today on a multitude of non-standard nomenclature, taxonomy and naming conventions which limit clarity and visibility into the extent of the cybersecurity risk profile for the medical device fleet. Disparate data and non-standard naming make risk mitigation hard or impossible. An expanding number of network connected medical devices and a greater need for IoT data is not achievable with a common data model. Every day that goes by without a commitment in this area expands the risk profile for the health care provider. Adopt technologies that provide the flexibility and extensibility and allow for easy conversion of disparate data into one clear data model. Progress in this area will have a positive, cascading effect on risk profile interpretation and cyber remediation activities for the entire medical device fleet. If the process of standardizing disparate data has to be manual, it’s time to retire the technology and move on to a new, modern cloud-based solution.
4) Adopt partner-friendly providers: No technology provider can do everything when it comes to medical device cyber risk mitigation. Technology providers who prioritize the end-user experience over short-term revenue will ultimately win the day. Medical device cyber risk mitigation requires significant back-end systems orchestration. These requirements necessitate strong partnerships among key EAM, CMMS and cybersecurity technology providers. The cybersecurity marketplace affords ample opportunities for best-of-breed providers to team up and provide deeper levels of integration across their tools and solutions that give clinical engineers a lot of choices to make the health care provider safer.
These four steps should serve as a baseline for any technology or tool audit associated with medical device cyber risk mitigation initiatives. Connected medical devices are becoming increasingly more important to safety in patient care and are increasingly susceptible to new cybersecurity threats. Extending the life of your old CMMS tools equates to putting a square peg in a round hole. This is no longer a viable option for modern clinical engineering teams. The time is now to embrace a technology agnostic approach.
Tom Stanford is the founder and CEO of Nuvolo.
