By MATT DIMINO, MBA, CISM, CRISC
In the current threat landscape, IoMT/OT/IoT is an attractive target for cybercriminals. Unfortunately, security projects to thwart these threats and address the risks often take a backseat to other security initiatives, are very slow to adopt, or fail entirely due to cost, complexity, and poor planning. Concurrently, strategies tend to be developed within silos, accountability is often nonexistent, ownership is unclear, and the perceived risk is high, but little or no proactive actions are taken. As we continue to see widespread attacks, we remain hindered by staffing shortages and knowledge gaps, often prohibiting HTM from doing anything more than PMs and CMs.
Many assumed that with the rise in ransomware and other cyberattacks, organizations would be more adept at putting forth the resourcing necessary to withstand this crisis. Even with anecdotal evidence of increased morbidity and even mortality due to diversion of patient care from cyberattacks, we have seen little evidence of drastic changes occurring with our OEMs and HDOs. With the astonishing breadth of attacks on HDOs, security investments don’t reflect the magnitude of risk, prohibiting spending on IoMT device security and leaving organizations open to a debilitating attack.
Those who recognize the importance of investing in a solution often do so by procuring a tool. While indeed a strategic and rational decision, these projects often face significant challenges regarding implementation, value realization, and operationalization, which can negate the “solution” aspect of these tools. Today’s cybersecurity tools are expansive in their domain, stretching across numerous stakeholder modalities, are incredibly resourceful, and should be a foundational part of your cybersecurity practice. Still, they are not a complete solution without assurance and process integration with people.
In an ecosystem of unmanaged, ubiquitous computing devices, we obscure the ability to address security and privacy concerns because most HTM departments simply don’t know where to start. For some HTM departments, considerable forces push you forward with little direction. Others lack support and sponsorship, limiting any actual capability of success and maturity. It’s no secret HTM resources are scarce. While some are fortunate enough to obtain a unicorn or promote from within, this doesn’t account for medical device security, nor will it solve your security problems. Why? Because medical device security is solved by creating a program with leadership sponsorship, strategic alignment, risk management, value delivery, resource management, performance measurement, education, governance, cultural changes, and by operationalizing processes and efforts. A single individual taking orders from IT/IS solves very little towards reducing risk.
With over 3.2 million IoMT devices deployed in HDO’s as of 2021, how will a single resource at a hospital solve your security challenges? It simply won’t happen, and here’s why. Your resource will have limited oversight, almost no decision-making abilities, mundane tasks assigned to them, their job description likely won’t reflect what they are doing, and they have limited education and resources. In this converged, intricate environment of interconnected devices, security must be holistic and governed by unity. Medical device security must be centralized, identifying risks and prioritizing efforts with processes and guidelines in place, a clear reporting structure, a strategy and roadmap that all understand and agree to, and the ability to adapt and change when processes aren’t working.
A program is the most necessary component of addressing medical device cybersecurity. The program’s purpose is to execute the strategy and reduce risk to acceptable levels. That’s right, reduce risk, not run around attempting to patch everything, perform exasperating risk assessments, and chase vulnerabilities deep into rabbit holes. A roadmap is another crucial element constructed based on the strategy and consists of a set of high-level objectives or goals and desired outcomes with a plan to achieve them. The strategy and roadmap should be created by leadership. Your Chief Information Security Officer (CISO) is the most likely candidate to put these pieces together, but they are most likely not an expert in medical devices and may not fully understand the capabilities and limitations of medical device security; therefore, HTM involvement in the creation of the program is necessary.
A core component of a medical device security program is strategic alignment, which can be accomplished through a medical device security steering committee. This is a prime opportunity for HTM to engage with IT, Security, and other stakeholders to build out the tactical and operational pieces of the strategy. This is where HTM can bring their A-team and work collaboratively rather than taking orders. Within the steering committee, members can highlight and discuss medical device security risks, selection, and application of appropriate controls, agree on processes and service levels, and define financial, operational, and other constraints. This committee will work to create optimal metrics, report on action items that can be delivered to executive leadership, address new risks or capabilities and build rapport with business units while creating a new culture conducive to cybersecurity resilience.
The diverse elements and activities that make up the medical device security program require various internal and external resources to achieve the objectives. Resources may already exist or need to be outsourced to external service providers. In the context of outsourcing, I am referencing outsourcing some or all of the medical device security program, not the HTM department. Building a program internally will take years, and many misinterpret the resourcing needs and costs necessary to build. Buying a program creates instant value delivery and resource optimization. Prebuilt programs can come with framework mappings, policies and procedures, performance measurement metrics, service level agreements, program guides, and steering committee oversight.
It’s no secret that medical device security is complex, but First Health Advisory is an industry leader in helping organizations build these programs and optimize their security tools. Our approach is flexible, from fully operationalizing a cyber Center of Excellence (CoE) to utilizing hybrid models to guide and drive HTM and the organization to success. Our programs encompass the use of your or our HTM technicians to operationalize cybersecurity. We have unique capabilities beyond others with training and development, patching strategies and automation, vulnerability management, incident response, governance, and risk management.
To learn more, visit firsthealthadvisory.com.
