About

TechNation is the primary monthly magazine and ultimate resource guide for over 12,000 medical equipment service professionals. Its diverse editorial and information helps biomedical, HTM, imaging and I.T. professionals keep their finger on the pulse of the healthcare technology community, helping advance their careers and further their profession.

Register Now: Modernizing HTM Economics | April 22
TechNation.TV | HTM Jobs | Right to Repair | Advertise
Subscribe

Cybersecurity: Risk vs. Vulnerability

5 Mins Read

By Joseph E. Fishel

Many see risk and vulnerability as the same thing. Risk can be defined as the intentional interaction with uncertainty. Uncertainty is a potential, unpredictable and uncontrollable outcome. Risk is an aspect of action taken in spite of uncertainty. Risk perception is the subjective judgment people make about the severity and probability of a risk and may vary from person to person. Vulnerability can be defined as the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally. Both are a perception or a possibility, but they aren’t the same.

In the medical equipment/cyber field we have several risk categories. Three common risk categories are PHI risk, clinical risk and mission-critical risk. Combining risk and devices with an identified vulnerability provides a higher measure of risk/vulnerability to make decisions on.

PHI risk can be broken down into many categories anywhere from 3 to 18. The categories can add up to a total risk score. This risk is identified on each model of device. When entering in your system don’t use a blank field for no PHI. Enter a 0. This way a blank means it wasn’t rated and you can easily search on devices that need to be assessed. These ratings are provided by the biomedical department and may differ from institution to institution. Here is an example of categories for rating a device:

  • Accessibility of the equipment. Is it bolted down such as a CT scanner, somewhat mobile such as an ultrasound or totally portable such as a laptop?
  • How many PHI fields are on the device 1-3, 4-8 or 9 or more. Many of these are personal information (PI) or protected health information (PHI). There are 1,750 fields in the header of a DICOM file so they are always high.
  • How many records can the device retain 1 to 50, 51 to 499 over 500. If the device is lost, stolen or hacked these devices are highly reportable and carry major fines. I have seen fines at $4,000 per file so if a device has over 500 files this can a $2 million fine for one device.

Other categories could be the number of USB ports, hard drives, ethernet connections, whether the vendor can VPN into the device and more.

Clinical risks are defined as those devices that if it stops working or fails it can cause death or impairment to a patient. Here are the categories and some examples of these devices. It is a Joint Commission requirement to risk your equipment.

  • Life support is the highest. Examples include defibrillators, ventilators and anesthesia units.
  • High risk devices can be lab analyzers, imaging equipment and IV pumps.
  • Medium risk devices can be patient monitors and vital signs monitors.
  • Low risk devices include sequential compression devices, beds, stretchers, OR tables and other devices that can be swapped out when they fail.
  • No risk devices are devices such as centrifuges, tube shakers and lab incubators.

Mission-critical risk can differ from site to site. These are devices that if they go down it puts patient care at risk. Some hospitals are designated as a stroke center, so the CT scanner has to be up all the time. Should one of these CTs develop a cyber risk it can cause a hospital to go on bypass delaying the patient’s diagnoses and care as well as affect revenue stream. If a hospital has too many bypasses for down equipment, they lose this certification and credentialing. This is a yes or no question for each device. Yes, it is mission critical or no it isn’t. Again, each facility/biomed department decides this.

IS/IT is not immune to risk categories. Disaster recovery is a process that IT/IS departments use to identify risk if a server goes down. It looks at the impact to the organization and each device or application is given a rating. This creates a priority list for returning devices to service. A server is only important because of the applications being run on it such as DNS server, EHR application, billing application, PACS, EKG storage, etc. These can be rated by tiers with numerical scales. I have often seen where 0 identifies the most vulnerable device with 1 being lower, 2 being lower still and then progressing in numbers as the level of risk drops. Biomedical application servers and some devices can be included in the tier ratings. The disaster recovery team has this information. If a device has even a hint of a vulnerability and it is listed as a tier 0 device then it is a major issue.

Using risk categories and the cyber vulnerability together will give you a way to prioritize your devices for the next time a vulnerability hits and leadership wants to know what the risk is. Combining the vulnerability and tier helps identify if it is a minor issue or a major event.

Share.

Related Posts

Add A Comment

Leave A Reply

X