By Phil Englert
Capital budgets are shrinking for more health care providers as COVID stimulus packages have ended and health care is reeling from cost increases for everything from supplies, drugs, space, transportation and labor. We have heard for years now that health care is rife with legacy equipment and technology debt. As we approach the capital planning period for many companies, I wanted to share insights and strategies to help health care leaders integrate and leverage the increasing cyber risks of aging technology into capital planning discussions. June was the 10th anniversary of the earliest reported cyber-attack on a U.S. hospital. This is a good time to consider strategies for bringing cyber risk into the capital planning conversation.
This second installment continues the conversation for raising awareness about the cyber risks in clinical environments and engaging clinical leadership with the impacts these risks may have on patient care delivery. The first installment set the stage by encouraging HTM professional to engage clinical department leaders and to weave cyber into the capital planning discussion. This includes understanding the clinical leader’s perspective and taking some time to understand their priorities, goals and concerns. Framing the discussion around the potential clinical care impacts of various medical devices helps clinical leaders understand how cyber fits within clinical operations. Let’s continue.
Provide context: Help clinical leaders understand the evolving cyber threat landscape and the specific risks health care faces. Threat actors target health care more than any other industry. Threat actors often blunder around health care infrastructure encrypting valuable-looking files with little knowledge or concern for clinical impacts. Recent ransomware attacks have impacted medical device systems contributing to the death of multiple patients. One example is of fetal monitoring not being available at a central station delaying the detection of nuchal cord and fetal distress. In Germany, a negligent homicide investigation was initiated after ransomware impacted 30 servers causing a hospital to go on divert and delaying treatment of a critically ill patient. Patient care impacts and context will make the discussion more relatable to their own department.
Relate to their role: Explain how cybersecurity events may impact their specific role and responsibilities. Delays in obtaining lab results, or not being able to pull up diagnostic images may delay care decisions or treatments. For example, if talking with the radiology director, discuss the financial implications of losing a CT scanner or MRI for a few days. Discuss how these risks might be managed and how determining response plans before an event can speed restoration activities or identify the need for more resilient technologies. Tailor your message to show how cybersecurity supports their objectives and helps sustain and fulfill the patient care mission. Be empathetic about financial constraints. Prioritization based on mission impact is often helpful to identifying a starting point for mitigations. As an HTM professional, offer to help find workable solutions and map out a long-term plan. Let’s start with this, and next year we’ll revisit these other things.
Offer practical solutions: This is the key! Anyone can ring the alarm bell. Avoid overwhelming clinical leaders with technical details, or fear, uncertainty and doubt (FUD). Tie risks to cybersecurity standards and show how these metrics are measured and tracked. Technical debt has taken a while to accumulate and solving for everything all at once is not practical. Focus on actionable, incremental steps to improve the operational resilience of the department. Discuss tactical elements like employee training, incident response plans, regular vulnerability assessments and the use of security technologies wherever possible and compensating controls where traditional security controls are not available. Offer recommendations, best practices and examples of cybersecurity measures that mitigate risks. Help identify reasonable and achievable reductions in risk.
Avoid technical language: Avoid technical jargon and use simple, plain language to explain cybersecurity concepts. Translate complex technical terms into everyday language that non-technical leaders can easily understand. Use analogies and real-world examples to illustrate your points. If you are discussing cyber risks like unsupported operating systems, show how that does not meet current security standards which may lead to unexpected failures.
Follow up with clear documentation: Summarize the key points of your discussion in a clear and concise document. Include agreed upon actionable steps, recommendations and supporting materials. This documentation will serve as a reference for clinical leaders and help them prioritize and implement cybersecurity measures including advocating for the replacement of medical devices which pose significant and unmanageable risk to the care delivery mission.
Encourage questions and open dialogue: Create an open and collaborative environment where everyone is comfortable asking questions and sharing their concerns. Be prepared to address their questions and provide additional resources or explanations when needed. Active listening and respectful engagement will help build trust and credibility. Commit to meeting regularly throughout the year to discuss changes in their needs, changes in supportability risks or emerging technologies that address existing cyber risks.
Building a culture where cybersecurity is a tangible decision point requires ongoing communication and engagement. Your job is to inform business decisions by providing important data points that can be used in the capital planning process. Make cyber part of the maintenance operations and capital planning discussions. Which equipment is likely to become unrecoverable due to gaps in support, parts availability, or just becoming excessive in labor or parts costs? Clinical leaders must balance and make decisions against many competing needs. Your priorities may not be their priorities. Respect that.
Partner with IT and IT Security to help develop the data, strategies and tactics you can present and discuss. Better yet, bring them along. It’s a great opportunity to immerse IT staff in the clinical environment. Continue to provide regular updates, share relevant insights and foster a collaborative approach towards medical device cybersecurity across the organization.
Editor’s Note: This is Part 2 of a two-part article. Part 1 of this article appeared in the July issue of TechNation and is available at https://1technation.com/health-isac-weaving-cyber-into-capital-planning-part-1/
Phil Englert is the director of medical device security for Health-ISAC.
