By Phil Englert
This column builds on last month’s discussion of cyber resiliency metrics. You can read last month’s column at 1TechNation.com.
Clinicians are focused on delivering safe, uninterrupted care. They need metrics that translate technical risks into operational realities, connect cybersecurity to clinical outcomes, ensure operational continuity, and directly affect patient outcomes.
The first metric is the number of devices with unsupported operating systems. Unsupported operating systems no longer receive security patches or updates from vendors, making them highly vulnerable to cyberattacks. Devices running outdated operating systems are more likely to experience downtime because of malware, ransomware or compatibility issues. Knowing the number and location of these devices helps clinical leaders plan for contingencies and minimize disruption. The data for this metric comes from the CMMS and is tagged by location and risk classification.
Highlighting the number of devices with unsupported operating systems typically aligns with a standard. By making clinical leaders aware of this technology debt and the higher risk of compromise that could directly impact patient safety in high-acuity environments, it ensures that clinical leaders are aware of the risks and may lead to support for capital replacement, especially if executive leadership holds clinical leaders accountable for the risks of operating outdated technology.Â
The next metric for clinical leaders is the percentage of devices with secure configuration and access controls. This metric is like the first in that it looks at a dimension of technical debt. In medical devices, secure configuration and access controls refer to settings and safeguards that prevent unauthorized access, misuse or exploitation of the device. Like devices with known vulnerabilities or unsupported operating systems, those lacking secure configurations represent a latent risk accumulating over time and can compromise clinical operations when exploited. The data for this metric will come from configuration management databases and network access control systems. Poorly configured devices are more likely to be targeted in cyberattacks, resulting in downtime or degraded performance. This affects scheduling, throughput and staff efficiency. Combined with the first metric, clinical leaders are empowered to prioritize device upgrades or replacements, support funding requests for cybersecurity improvements and collaborate with HTM and IT teams to protect clinical workflows. These metrics foster collaboration between clinical and technical teams, helping clinicians advocate for cybersecurity as a patient safety issue.
The third metric for clinical department leaders is the average downtime from cybersecurity-related device incidents derived from incident response logs and CMMS service records. Organizations must look for, recognize and record cyber incidents in medical devices. This requires well-trained staff who know how to identify software-related issues on medical devices and how to retain logs for investigation. Medical devices are essential to diagnostics, monitoring and treatment. When a device is taken offline because of a cybersecurity incident – such as malware infection, unauthorized access or ransomware – the resulting downtime can delay critical procedures or diagnostics, force clinicians to use less effective backup methods and increase the risk of adverse patient outcomes.
METRICS FOR HTM TEAMS
HTM professionals are on the frontlines of medical device management. They need metrics that guide day-to-day decisions and long-term planning. Collecting and utilizing data to support cybersecurity resilience in healthcare facilities is a complex endeavor, especially in organizations with multiple stakeholders, each with distinct roles, responsibilities and priorities. While metrics are essential for guiding decisions and improving security posture, several challenges can hinder their effectiveness. Challenges include a mix of legacy systems, vendor-managed platforms, and siloed databases. When integrating these disparate systems to produce unified, actionable cybersecurity metrics, careful planning and persistent collaboration will be needed to tackle this technically complex and resource-intensive activity. The journey will be worth it.Â
HTM should develop a device risk classification metric incorporating cybersecurity risk and impact on clinical operations. Expand upon the traditional HTM risk elements of patient safety risk, maintenance requirements, and environment of use by adding acuity setting, cyber risk posture, PHI, and lateral access to develop a more comprehensive assessment of clinical impact in the event of device failure, regardless of the cause. The data source includes the CMMS with integrated risk scoring based on device type, connectivity and patient impact. Expanding beyond traditional HTM risk elements, this enhanced metric becomes a powerful tool for day-to-day decision-making and strategic planning. By incorporating a multidimensional view through which device risk is assessed, HTM professionals can play a central role in building a resilient, patient-safe and cyber-secure healthcare environment.
The second HTM metric is the percentage of devices with up-to-date software/firmware. Collecting and utilizing this data presents both technical and organizational challenges. Firmware update schedules vary widely across manufacturers. Some vendors do not provide visibility into current software versions or patch status. Devices may require manual checks or proprietary tools to verify update status. HTM teams may struggle to obtain accurate, timely data across a diverse device fleet. Passive monitoring tools may be able to provide patch availability information. Health-ISAC provides a software bill of materials (SBOM) link webpage for HTM professionals to access multiple manufacturer webpages or portals providing cybersecurity artifacts. CMMS, vendor portals, passive monitoring tools and software inventory tools can provide data for this metric. Overcoming these challenges requires cross-functional collaboration, enhanced CMMS capabilities and clear policies for updated tracking and validation.
The percentage of devices with up-to-date software/firmware reflects the medical device fleet’s cyber hygiene, operational reliability and patient safety readiness. Outdated software is a common attack vector. This metric is a strategic indicator of how well HTM teams manage cybersecurity risks, support clinical operations, maintain regulatory compliance and help HTM teams track and prioritize updates.
The final metric is the HTM staff cybersecurity training completion rate, a vital metric because it reflects the preparedness, awareness and capability of the HTM team to manage and mitigate cybersecurity risks associated with medical devices. This data may come from the learning management system (LMS), obtaining and maintaining cybersecurity credentials and self-study reporting. HTM professionals are often the first to interact with medical devices – installing, configuring, maintaining and troubleshooting them. A well-trained team is essential for maintaining device security and responding effectively to threats. This metric indicates how well-equipped the HTM team is to protect medical devices and support safe, uninterrupted patient care.
For HTM professionals, cybersecurity metrics are more than performance indicators; they are decision-making tools that help prioritize daily tasks, plan strategically, advocate effectively and collaborate across departments. These metrics are essential for maintaining safe, secure and resilient technology systems in a healthcare environment where medical devices are increasingly connected and vulnerable.
MAKING THE CASE FOR A CYBER RESILIENCE PROGRAM
Cybersecurity in healthcare is a clinical and operational imperative, not just an IT issue. Medical devices are critical to patient care, and their compromise can have life-threatening consequences. Healthcare systems can provide executive leaders with actionable insights to guide strategic investments by adopting a structured, metric-driven approach grounded in the MITER framework. A metric-driven model empowers clinical leaders to understand and support mitigating cyber risks to patient care and equips HTM teams with the tools and data needed to strengthen device security.
These metrics are more than numbers – they are a language that bridges technical and clinical domains, enabling informed decision-making and shared accountability. With leadership support, healthcare organizations can operationalize these metrics, integrate them into existing workflows, and build a culture of cyber resilience that protects patients, staff and systems. This program will reduce the vulnerability footprint and foster a culture of shared responsibility and continuous improvement.
The time to act is now. Cyber threats are evolving, but so is the ability to anticipate, withstand, recover and adapt. Measure what matters and use those measurements to drive meaningful change. By leveraging MITRE’s guidance, you can align your cyber resilience efforts with industry’s best practices and ensure that your metrics are actionable, relevant and tailored to the unique challenges of medical device ecosystems.
