By Joseph E. Fishel
Many see risk and vulnerability as the same thing. Risk can be defined as the intentional interaction with uncertainty. Uncertainty is a potential, unpredictable and uncontrollable outcome. Risk is an aspect of action taken in spite of uncertainty. Risk perception is the subjective judgment people make about the severity and probability of a risk and may vary from person to person. Vulnerability can be defined as the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally. Both are a perception or a possibility, but they aren’t the same.
In the medical equipment/cyber field we have several risk categories. Three common risk categories are PHI risk, clinical risk and mission-critical risk. Combining risk and devices with an identified vulnerability provides a higher measure of risk/vulnerability to make decisions on.
PHI risk can be broken down into many categories anywhere from 3 to 18. The categories can add up to a total risk score. This risk is identified on each model of device. When entering in your system don’t use a blank field for no PHI. Enter a 0. This way a blank means it wasn’t rated and you can easily search on devices that need to be assessed. These ratings are provided by the biomedical department and may differ from institution to institution. Here is an example of categories for rating a device:
Other categories could be the number of USB ports, hard drives, ethernet connections, whether the vendor can VPN into the device and more.
Clinical risks are defined as those devices that if it stops working or fails it can cause death or impairment to a patient. Here are the categories and some examples of these devices. It is a Joint Commission requirement to risk your equipment.
Mission-critical risk can differ from site to site. These are devices that if they go down it puts patient care at risk. Some hospitals are designated as a stroke center, so the CT scanner has to be up all the time. Should one of these CTs develop a cyber risk it can cause a hospital to go on bypass delaying the patient’s diagnoses and care as well as affect revenue stream. If a hospital has too many bypasses for down equipment, they lose this certification and credentialing. This is a yes or no question for each device. Yes, it is mission critical or no it isn’t. Again, each facility/biomed department decides this.
IS/IT is not immune to risk categories. Disaster recovery is a process that IT/IS departments use to identify risk if a server goes down. It looks at the impact to the organization and each device or application is given a rating. This creates a priority list for returning devices to service. A server is only important because of the applications being run on it such as DNS server, EHR application, billing application, PACS, EKG storage, etc. These can be rated by tiers with numerical scales. I have often seen where 0 identifies the most vulnerable device with 1 being lower, 2 being lower still and then progressing in numbers as the level of risk drops. Biomedical application servers and some devices can be included in the tier ratings. The disaster recovery team has this information. If a device has even a hint of a vulnerability and it is listed as a tier 0 device then it is a major issue.
Using risk categories and the cyber vulnerability together will give you a way to prioritize your devices for the next time a vulnerability hits and leadership wants to know what the risk is. Combining the vulnerability and tier helps identify if it is a minor issue or a major event.
© 2018, TechNation Magazine. Site designed by MD Publishing, Inc.