By Tommy Lee
The landscape of intelligent devices and equipment in health care facilities is changing rapidly because devices are increasingly intelligent and interconnected. And it’s going to get more difficult to grasp, as Accenture research reports that the Internet of healthcare things (IoHT) is projected to grow by more than 38 percent annually between 2015 and 2020. Additionally, according to a Cybersecurity Ventures report, cybercriminal activity is expected to cause $6 trillion in damages and in response, cybersecurity spend is expected to exceed $1 trillion by 2021.
What are all these devices? Anything foreign that’s connected to the network including medical devices, support systems, medical robots, intelligent assistants, embedded software systems (i.e., monitoring and control systems), and wearable devices. And some of these IoT devices have further layers of IoT within or between them. The industry has already taken large steps to move from RFID to newer solutions using less expensive sensors and advanced communication methods like mesh networks or the pervasively deployed Wi-Fi.
This device ecosystem is evolving and poses clear security risks. As a result, customers are paying large sums to security providers like GE and MacAfee to add a protection layer and gather data. But is that enough?
I Want What They’re Having
The first question I get in nearly all of my interactions across the healthcare technology management (HTM) industry around securing medical devices through the CMMS is “What is everyone else doing? Because I want to do that.” Truth is, this is a rapidly changing space and there isn’t yet an established industry framework or best practice, though this will surely change in the near future. What I most commonly see is most organizations putting a process into place within procurement to gather medical device security information for new equipment, with a separate effort within HTM to gather as much information (e.g. MDS2 documentation) about existing equipment as possible.
Is MDS2 enough?
The Manufacturers Disclosure Statement of Medical Device Security (MDS2) is an increasingly common, but ultimately optional, set of information provided by vendors that communicates the security specifications and protection layers provided within a device model and/or software revision. While this information is currently optional for manufacturers, many health care organizations won’t even consider buying new equipment without the manufacturer providing this data. Now, although this documentation provides a tremendous amount of information around security capabilities, it doesn’t take into account an organization’s specific configuration or use of a particular device model. This is where the intersection of the CMMS and manufacturer-provided information exists.
Should I be budgeting for a cybersecurity analyst?
The hiring of HTM cybersecurity analysts is picking up steam as the responsibilities for securing medical equipment grow in volume and complexity. These individuals typically have a unique hybrid HTM and IT skillset in order to effectively bridge the gap between these departments. These individuals quickly provide a high return on investment as they shoulder the bulk of the burden around cybersecurity while minimally increasing the workload for those around them.
Three steps to increasing HTM security through the CMMS
So, let’s assume that many organizations are gathering a significant amount of cybersecurity information for their devices and they’ve hired individuals to shoulder the growing cybersecurity burden. How does an organization tie all of this together within their CMMS? Accruent’s Medical Device Security Analyzer provides the following capabilities to do just this and to help evolve a health care organization’s cybersecurity program:
PREPARE: The prepare capabilities are designed to enable organizations to gather as much information as possible that contribute to the device or system’s cybersecurity risk, including vulnerabilities and connectivity mechanisms within each element. It is also architected to ensure that equipment is being secured/hardened according to each organizations’ security policies. Then, allowing organizations to construct risk profile(s) to evaluate against target equipment in order to:
- Identify significant risks or gaps, and track the remediation or mitigation
- Create or update standard operating procedures (SOPs) for technicians onboarding, maintaining and retiring equipment
- Automate the calculation of cybersecurity risk per device taking into account attributes such as the type of information handled by the device, connectivity types (e.g. WiFi more suspect than cable connection), unique roles-based user accounts, capability to be updated, etc.
PROTECT: The key to the best protection is bringing in the right runtime data from monitoring solutions. When your monitoring notes an alert or event of significance, your protection should evaluate and prioritize based on severity and the calculated risk of the equipment. Your solution should consume that data and evaluate severity and risk, then allow you to develop a workflow that’s suited to your organization and usage. For the best protection you need to predetermine who is alerted or involved for each type of problem, how much time that person has to respond, and what happens if they don’t.
PROGRESS: Get on an overall fitness regimen.
As your program is running, there should be a continual effort to evaluate your organization’s ongoing effectiveness in preparing and protecting. Generate reports on which types of equipment are more prone to attacks. Evolve standard operating procedures. This more sophisticated approach will put you on the path.
– Tommy Lee is the senior director of product strategy at Accruent.