About

TechNation is the primary monthly magazine and ultimate resource guide for over 12,000 medical equipment service professionals. Its diverse editorial and information helps biomedical, HTM, imaging and I.T. professionals keep their finger on the pulse of the healthcare technology community, helping advance their careers and further their profession.

Register Now: Modernizing HTM Economics | April 22
TechNation.TV | HTM Jobs | Right to Repair | Advertise
Subscribe

Biomed 101: Using Your CMMS to Mitigate Cyber Threats

7 Mins Read
By Heidi Horn
Heidi Horn
Heidi Horn, MA, AAMIF

Medical equipment cybersecurity is the hot topic in the healthcare technology management (HTM) industry these days and with good reason. Cyber threats against health care providers have increased significantly in recent years forcing medical equipment manufacturers and those who maintain the equipment to develop products, tools and processes to mitigate the risks.

Based on discussions occurring within the government and accreditation organizations like The Joint Commission, many leaders in the HTM industry speculate that it is only a matter of time before regulatory agencies will begin to move more of their cybersecurity recommendations for hospitals from “nonbinding” to regulated requirements.

“The HTM community has known for years that it’s necessary for hospitals to protect their clinical equipment from hackers and malware, but there is general agreement among those that follow the topic that we will soon see more suggestions and standards become regulations,” says Barbara Maguire, vice president of quality and healthcare technology management at ISS Solutions Inc.

While many in the HTM industry feel overwhelmed by this prospect, ignoring the issue will not make it go away. Fortunately, developing an effective medical equipment cybersecurity program can be accomplished with a tool you should already have – your computerized maintenance management software (CMMS).

“The first and maybe most important step in setting up an effective medical equipment cybersecurity program is to make sure all the medical equipment your hospital owns or leases long-term is inventoried in your CMMS, especially if it is networked,” Maguire says. “That includes often forgotten devices in your medical offices and ambulatory care centers.”

Along with a complete and accurate inventory, hospitals should capture pertinent security information for each device so that when vulnerabilities or alerts are found, affected devices can quickly be identified. This includes whether the device is networked, its IP and MAC address, its ePHI capabilities, and its operating system.

Emphasizing this point, the U.S. Federal Bureau of Investigation (FBI) conducted its own research into how hospitals should protect their medical equipment and released a report last year that listed a number of cybersecurity recommendations including:

  • Maintain an electronic inventory management system for all medical devices and associated software, including vendor-developed software components, operating systems, version and model numbers.
  • Use inventory results to identify critical medical devices, operational properties and maintenance timeframes.
  • Consider replacement options for affected medical devices as part of purchasing process; if replacing the medical device is not feasible, take other mitigation precautions, such as isolating the device from network or auditing the device’s network activities.

Those in HTM know that it’s much easier said than done to capture all this data, and even more difficult to keep it up to date. There are different “checkpoints” in a device’s life cycle that are particularly important in collecting the pertinent data to help protect it.

Medical Equipment Cybersecurity Checkpoints:

  • Onboarding – working with supply chain, the receiving dock, and other departments involved in equipment purchasing, all HTM departments should have a process in place to be notified when new equipment arrives and is being installed so that it can be inventoried, tagged and added to the CMMS with all required information.
  • During Maintenance – anytime a device receives maintenance – whether it’s planned maintenance (PM) or corrective – the technician should verify that the CMMS contains up-to-date information about the device, including its IT components. This data check should be part of maintenance checklists to ensure this task is not forgotten. Remember that it’s always easier to get the information when the device is in front of you versus having to go find it later when missing data is identified.
  • Regular Scheduled Inventory Audits – it’s now considered a best practice to do a manual sweep of the hospital’s medical equipment at least every few years to verify the inventory and associated data is accurate. If your validation process during checkpoints one and two are being followed closely, you can limit this manual audit just to devices that have not been seen since the last audit and perform visual audits in departments to look for un-inventoried devices that slipped through the cracks.
  • Disposal – an often-forgotten but critical step in a device’s life cycle is to document its proper disposal in the CMMS. This includes documenting that ePHI stored in the equipment was properly removed.

No matter how important accurate data is, finding and entering the data is not always a technician’s favorite part of his/her job. Therefore, you want to make sure certain fields are required in your CMMS so that pertinent data is captured and/or verified during each of these checkpoints. Depending on which CMMS you use, you also may be able to build in workflows and checklists that automatically instruct your technicians what data they need to collect and/or validate during each checkpoint, as well as automatically fill in certain data points associated with the make/model.

“We spent a lot of time configuring our CMMS – Nuvolo – to streamline collection of this data and to develop risk criteria so we can focus our resources on the riskiest devices,” Maguire says. “This has helped us tremendously in keeping the inventory accurate.”

Once your inventory and its data are accurate, you can then begin the process of assessing the equipment’s cybersecurity risk and documenting it in your CMMS. Don’t forget about those non-networked mobile devices that store ePHI. If they go missing, you still need to report it to the Office of Inspector General (OIG) if enough patient records go missing with them.

If your CMMS is configurable, you’ll also want to build in workflows that allow you to quickly identify all devices impacted by a cybersecurity threat and generate work orders (if mitigation steps are needed) that are assigned to the proper team(s) on each affected device.

Many hospitals also have purchased security monitoring software that not only monitors the network for cyber threats but also identifies new devices added to the network and changes in their IT components, such as an operating system upgrade. Taking that one step further, hospitals can also integrate some CMMS products with their network monitoring tool so that the information feeds directly to their CMMS, enabling them to monitor cyber threats from their CMMS and automatically issue work orders to threats with pertinent information like the type/make/model, location of the device, who supports it, and whether it’s in use. This integration also will feed information on newly discovered networked devices and changes to IT components to the CMMS, effectively keeping the data updated.

“Having visibility of a device and its details is only the first step in cyber risk reduction,” states Ty Greenhalgh, HCIPP, healthcare industry principal at Medigate by Claroty. “With adversaries increasing their attack speed, efficient operationalization to mitigate vulnerabilities at scale will only come from an integrated workflow tool like a CMMS.”

With that in mind, Greenhalgh stresses that HTM organizations wanting mature medical equipment cybersecurity programs should also be able to assess each device’s cybersecurity risk and document it in their CMMS, apply appropriate protections based on those risks and document them in their CMMS, and enable workflows in their CMMS that help orchestrate fast responses to threats.

Whether you’re a large health system or a small stand-alone hospital, all health care providers have a responsibility to protect the privacy and safety of their patients and should implement a medical equipment cybersecurity program.

Maguire agrees, “The robustness of your medical equipment cybersecurity program is dependent on the resources and risk tolerance of the organization, but doing nothing is no longer an option.”

Heidi Horn, MA, AAMIF is president of Heidi Horn HTM Consulting LLC. Horn currently serves on the AAMI Board of Directors Executive Committee as treasurer.

Biomed 101 Nomination

  • Write a Biomed 101

    Share your knowledge and insights with a Biomed 101 article. This is an article written by biomeds for biomeds. It can cover something basic or one of the latest trends in HTM. The article should be 600 to 1,000 words. Please include a headshot photo of yourself for use with the article. Email your submission to Editor John Wallace at Editor@MDPublishing.com or fill out the form below.
  • Max. file size: 2 GB.
  • Max. file size: 2 GB.

Share.

Related Posts

Add A Comment

Leave A Reply

X