By Joseph E. Fishel, CBET, MBA
If you don’t know where you are, you don’t know if you are moving forward, sideways or backwards. Fred Bear was an early pioneer in archery. He was known for his accuracy. He could even hit moving targets out of the air with a single arrow. He could see his targets. If he were blindfolded and unable to see his target, his chance of success would drastically decline. He might even hit a bystander. Hitting the target in cybersecurity doesn’t have to be hit or miss. And, I think we are heading in the right direction.
Establishing and creating a strategic plan is critical for success and to keep from wasting time, money and effort. Knowing your facility’s current standard plan used by IS/IT for cybersecurity is and what the future will be is critical. A plan can be developed in conjunction with your IS/IT team to protect, identify vulnerabilities as well as how to respond to attacks. Policies and procedures that are enforced along with Know Do Shares (KDS) on what can, should or will be happening for communication is a great way to prepare.
When I am preparing for a Joint Commission inspection, I list all of the Joint Commissions Standards on a spreadsheet. I then look at each standard and compare it to my Medical Equipment Management Plan (MEMP) and identify the section that addresses how I meet the standard. Beside each standard, I enter the section of my MEMP and create a crosswalk. If the standard isn’t under my direction I list a policy/procedure or where documentation can be found. I may find with a new standard that I have not yet created a policy/procedure or that it falls short and needs to be updated to adhere to the new standard.
So, what standards can I use to build on a cybersecurity plan? There are several sources for guidelines that can be used to develop a plan. Here are a few: National Institute of Standards and Technology Special Publication 800 (NIST SP 800), COBIT 5, CIS Critical Security Controls and ISO/IEC 27001. Using a standard or a combination of standards are great for developing a cybersecurity program. I would suggest finding out which guidelines the IS/IT team uses.
As you identify a standard, you may find that the IS/IT team already has a standard/procedure or policy in place that covers everything except biomedical equipment. Some tweaks or inserts may be needed to incorporate biomedical equipment or a separate plan may need to be implemented. For example, most IS/IT departments have a policy against plugging a cellphone or tablet into system-owned computers. Adding biomedical equipment to the policy puts everything on one page and shows unity. There will be some things that are unique to biomedical equipment that can be addressed separately.
So, where are you with your plan? How mature/developed is it? Once you identify “the standard” then measure the plan on a scale using colors and numbers.
Many professionals use the Plan Do Check and Act cycle. This can use colors and numbers with meanings. For example:
Once the program is scored a baseline is created to work from and metrics can be generated to measure progress for reports to administration.
Developing run books for situations or incidents is one way of identifying who, what, when, where and how to react to viruses, malware, infection and other situations. This includes escalation plans, communication plans, remediation plans as well as who does what and when. IS/IT may have a vulnerability scanning program that can be used as a helpful tool. Identifying when this is run and the remediation of vulnerabilities on medical equipment can be a run book in itself. Every situation should be listed and it should be determined if it is a new situation or if it mirrors an existing one and needs to be added to the run book. Sitting down and doing tabletop exercises can help define and refine procedures.
Remember, the next vulnerability is right around the corner. As I was writing this “Microsoft Wormable Vulnerability” appeared on my monitor.
Joseph E. Fishel, CBET, MBA, is a Healthcare Technology Systems Manager for Sutter Health eQuip Services.
© 2018, TechNation Magazine. Site designed by MD Publishing, Inc.