By Emma C. Nehring and Joshua Garvin
What do medical device security, inventory management and equipment recalls all have in common? They are only as good as their most up-to-date information. This affects the accuracy, thoroughness and itemized information recorded in your computerized maintenance management system (CMMS). No matter how “secure” your network is, there is always a possibility for cybersecurity threats. These threats can come in many forms such as zero-day attacks, ever evolving vulnerabilities and the risk of ransomware/viruses.
The introduction of vulnerabilities and recalls on your networked, and non-networked medical devices, introduces risk to the integrity of your medical devices and, most importantly, the security and safety (both physical and information security) of your patients. How quickly and accurately are you going to be able to identify and take action to implement a remediation to protect patient information and well-being? The answer to this question truly depends on your inventory, the information your management system collects and the frequency at which the information is updated.
Q: If I already have a system in place that works for me, why should I switch to CMMS?
A: The top three reasons are safety, security and service. CMMS is a software management solution that maintains a computer database of all networked and non-networked medical device inventory. Being able to quickly populate all devices of a specific metric from your inventory is very important to ensure all affected devices are known when a recall or security threat presents itself. For instance, knowing the exact location of a medical device that has been recalled can save your department time and help to remediate the issue faster and with more confidence that you’ve remediated the correct device. The last thing you want when a recall/security threat is posted, is to miss devices and enable that device to be a risk to patients and staff. CMMS allows in-depth monitoring and analysis of devices on the network and can potentially be used to point out the vulnerabilities before a security breach can occur. As HTM professionals, one of our biggest responsibilities is servicing equipment by performing preventative and corrective maintenance to keep our patients and end-users safe. CMMS can store data on work performed to increase management on the maintenance of devices as well as aid in troubleshooting efforts. With the growing amount of networked medical equipment, it is very important to have data on the medical devices on your network so that the highest level of security is applied.
The metrics that should be included into your CMMS vary and can be tailored to your role/position in your department (manager/technician/engineer) to view the information that is most useful to your needs. While the metrics used to have the best representation of the managed systems can differ depending on the management needs and values, foundational metrics are used to get a quick understanding of the device. Additional metrics create a more thorough understanding of the system as well as protect it, these metrics add value to the CMMS. The foundational metrics may be things like the medical device’s hostname, physical location, IP/MAC address, manufacturer, model and serial number. While the anti-virus/anti-malware status, operating system, responsible technician, and location information add value to the data set, these “value” metrics allow for managers to see a bigger picture of the device/system and can help in remediation and troubleshooting efforts.
Although the impressive dashboards with easy access to information that these new advancements provide us, human relations, continued education, and performance measures are what truly ensures and sustains the long-term accuracy of the CMMS data. It is important to remember data is only as good as the last update. Using the CMMS and keeping it up to date is a team effort between clinical and logistical staff alongside HTM. Continued communication between staff is crucial to ensure that devices coming into the hospital are correctly evaluated, protected and registered to be managed by the CMMS. Software like SQL can be used to filter, pull and organize CMMS data sets that monitor specific information like life cycle, unsupported operating systems, anti-virus/anti-malware, work orders and vulnerabilities. The use of data analytics helps keep devices up to date and secure. Different reporting methods such as Microsoft Power BI reports, can take the tracked analytics and create visuals that can better communicate between departments and provide feedback to HTM professionals on the managed systems. Many CMMS solutions have built in reporting for metrics and medical device data as part of their overall package, so it is crucial to select the CMMS that best meets your needs.
Living in a time of ever evolving, advancing and extensive data gathering that a CMMS can provide us with, the main purpose of the CMMS is to visualize and gain a better understanding of our overall medical system environment. But don’t be fooled, even though a CMMS can provide us with the impression of data being well managed, without continuous monitoring by HTM professionals, management software and communication between staff and departments, you can’t be certain that your inventory is up to date. In the end, you can only ensure the safety of patients and their information by being on top of your medical device inventory.
Emma C. Nehring is a Biomedical Engineer at Charles George VA Medical Center.
Joshua Garvin is the VISN 10 Cybersecurity Lead/Information Systems Biomedical Equipment Support Specialist (IS-BESS) at the Department of Veterans Affairs.
