By Joseph E. Fishel, CBET, MBA
The following questions are often asked by senior leadership and the IS department of the biomed/clinical engineering department. Where are you in biomedical or clinical engineering with your cyber plan? Do you have one? Many don’t know where to start as much of this is uncharted ground and every facility is different or has its nuances. We have to look at what is happening today and also at what is changing in the industry as well as in our own facility? What changes are being planned for your network in the future and how will it affect your medical devices? This can often be two ways. The first is securing the devices on the network and providing protection. The second is securing the network so that only qualified devices are allowed on the network. Medical equipment may not meet the standards that IS has planned, so identifying changing parameters is critical.
First, you need to identify where you are in your enterprise with your IT/IS team in what are they are doing presently for protection and detection. Are they looking to make changes to the existing network or are they looking to move to a new platform? What security steps will be changing? Will they be going to a higher level of security verification? Finding out the exact standards is very important. If they are moving to a PEAP/SHA2 requirement, your next step is to determine what equipment will meet that standard and what equipment won’t. As you start gathering information it helps to create fields in your CMMS to track what you have and be able to document changes or updates. Then, look to see if equipment that will not meet the standard can be modified. For example, a device that is not compatible could become compatible with a new network card. This makes it easier to track compliancy.
You will need to create fields in your CMMS to document this along with other fields. As you start identifying the fields you need to record keep in mind that there are everyday settings that need to be documented on how the device is set up. There are fields that will be used to filter the different ways a device is connected for mitigation and remediation for network protection. Sometimes fields need to be added that become very valuable when an attack is identified. Being able to identify quickly which devices are vulnerable to that particular attack is critical. So, while it may seem to be labor intensive to collect this information it will save you from going on an Easter egg hunt and having to look at every device to see if it is affected.
As you identify devices that won’t meet the standards, start talking to manufacturers about the new standards and see if the devices can be upgraded. Make sure that the new standards are made available to your purchasing department and have the IS requirements updated. The sooner you start implementing the changes to new equipment purchase the sooner you start meeting a higher level of cybersecurity. If your current vendor can’t meet the new standards, then it’s time to go shopping. There are vendors out there still selling devices that have embedded XP which is no longer supported by Microsoft.
Some of the fields or categories you may want to consider for your cybersecurity plan could include: MAC address, IP address, Type of IP address Static/DHCP, Wired or Wireless, Operating System Manufacturer, Version of Operating System, Service Patch Level, Patch level, MFR of Network Card, DNS Server Address, Gateway Address, Host Name/AE Title, Application Level, Firmware Level, Send to Destination Info, Query Info, PHI status (this can be a multitude of fields). Does the device have PHI on it? There are 18 critical PHI fields that you may want to identify should a device go missing and you can identify what fields it is capable of. Do you want to know which ones are available on each device? Does the device support PEAP? Will the device support SHA 2? Does the device have auxiliary connections? What are they and how many? Does the device support antivirus? What vendor of antivirus do they support or work with? Can the device be patched remotely at any time? Can the device be patched remotely, but requires someone to be in front of the machine to turn it off and on? Does the unit require onsite manual patching?
As you can see, the information that can be gathered will set you up for dealing with the future. If you can identify some types of information, either at the model level or at the device level, you should probably collect it for the present or future use. Remember it’s your program and what you put into it early on will help you later.
Joseph E. Fishel, CBET, MBA, is a Healthcare Technology Systems Manager for Sutter Health eQuip Services.