By Connor Walsh, CISSP
Due to the novelty of medical device cybersecurity within an HTM professional’s role, the path to improved department cyber-posture may not be completely clear. And questions such as “Where should I start?” or “What are our team’s five-year cybersecurity goals?” might not have strong answers. As threat actors increasingly target medical organizations, assessing a department’s existing medical device risk management policy can have great benefits in this fight. This includes a decreased attack vector, quick incident response, improved department culture, and proven due diligence and due care to protect an organization’s confidential data.
For those wondering where to begin in developing an internal HTM cybersecurity framework, obtaining senior leadership support is a good start. Presenting the ideal scope and strategies to protect the organization against real world cyber-threats can help ensure adequate buy in and improved potential for additional resources. A vital next step is identifying a department champion to take lead on the initiative. Whether that be hiring a new position or training an in-house employee, it is important to have someone who will take charge on this process.
The identified champion should next assist with building and/or assessing department risk management policy. The facility information system officer (ISO) is a great resource to improve medical system visibility, which will often involve inventorying/categorizing/classifying all medical systems. This can be accomplished by collecting and referencing MDS2 forms and department inventories. Working with the ISO, the information gathered can be used to develop and perform a risk assessment on each medical system, identifying any unmitigated risk (i.e. outdated OS, non-routine patching, external Internet access, etc.). The identified risk ideally will then have appropriate security controls applied to them (i.e. physical, technical and administrative) – if this is not doable, the risk can be logged for future action, it can be transferred (such as implement extended support service contract), or accepted. At this stage, it will take some time to assess all medical systems because, as we all know, every medical system is unique. Providing department training and clinician awareness of this new policy will help maintain its long-term integrity for future procurements.
After a few years and many risk assessments later, it may be time for next steps. Obtaining an official certification such as ISO 27001 might be valuable to the organization. The certification process can take 6-12 months, but some benefits include avoiding hefty fees for any potential breach, protected reputation, compliance to business/legal/contractual/regulatory requirements and improved department structure. If starting a department risk management policy from scratch, it might be beneficial to target ISO 27001 certification as a future goal so that all required documentation is periodically compiled for if and/or when the time comes to formally apply.
You can’t fix a problem that you don’t know you have, and continuous review of internal department medical device cybersecurity policy is extremely important. Establishing a cybersecurity champion within the department, building a good relationship with the ISO and providing adequate education and direction will help identify risks and fill any medical system gaps. Presenting to leadership when risks have been identified and mitigated is an easy way to demonstrate a return on their investment by sponsoring the cybersecurity initiative. Taking these steps will help improve department cyber-posture and safeguard medical systems from the ever-increasing threat landscape.
Connor Walsh works for VA Central Office on the Office of Electronic Health Record Modernization (OEHRM) HTM team.
References:
https://www.itgovernance.eu/blog/en/benefits-of-iso-27001-certification