By Phil Englert
Capital budgets are shrinking for more health care providers as COVID-19 stimulus packages have ended and health care is reeling from cost increases for everything from supplies, drugs, space, transportation and labor. We have heard for years now that health care is rife with legacy equipment and technology debt. As we approach the capital planning period for many companies, I wanted to share insights and strategies to help health care leaders integrate and leverage the increasing cyber risks of aging technology into capital planning discussions. Last month marked the 10th anniversary of the earliest reported cyber-attack on a U.S. hospital and is a good time to consider strategies for bringing cyber risk into the capital planning conversation.
This two-part series will explore the need for raising awareness about the cyber risks in clinical environments and engaging clinical leadership with the impacts these risks may have on patient care delivery. The discussion will cover eight tips and techniques to make these discussions more collaborative and productive. Let’s get started.
In many health care organizations, ownership of medical device technologies is more often a matrix than a single responsibility. The clinical department may own the equipment if finance assigns it to that cost center, but other departments may also claim an ownership role in keeping it running (HTM) or keeping it talking on the network (IT). Mobile devices such as beds and infusion pumps may be allocated across several departments. Connected systems such as patient monitoring or nurse call, which reach like vines throughout the many patient areas, may be allocated or simply assigned to a single cost center.
And then there is the way the same endpoints or systems of endpoints are tagged, tracked and monitored by the many asset management methods present in a health care environment. Finance focuses on the “net present” value and uses a purchase order as a primary asset ID. This works fine for a single asset purchase but loses clarity when multiple components, modules if you will, make up an endpoint as with patient monitors, or if asset responsibility is shared by different departments. Information technology and healthcare technology management teams also have some role in asset management responsibilities, with separate asset tagging methods and distinct asset management systems.
It takes a cooperative and coordinated effort to ensure each stakeholder has a voice at the capital table to make informed decisions and gain the desired clinical outcomes, operating efficiencies, risk reductions, marketing advantages and other business drivers that go into capital allocation decisions.
As if that were not complicated enough, a growing portion of this aging technology has outdated and unsupported operating systems. It may contain firmware that is insecure and no longer available or is losing manufacturer support at increasing rates. The recent statutory authority granted to FDA over cybersecurity of medical devices may accelerate these trends. Manufacturers of legacy devices may not be able to make the updates to older technologies to meet the requirements for demonstrating reasonable assurance to the FDA that the devices are safe and effective for their intended use.
The best place to start this conversation is with the clinical leaders. Identifying the need for new or replacement medical technologies is typically a grassroots clinical department initiative. CxOs, physicians and foundations are also initiators of the capital investment process. Clinicians and clinical leaders may or may not have a good understanding of technical issues cyber presents, but it is essential to effectively communicate the importance of cybersecurity risks and the potential impacts on clinical care delivery. Here are some tips to help you have productive discussions on cybersecurity with clinical leaders.
Understand their perspective: Begin by understanding the clinical leaders’ priorities, goals and concerns. As a part of the environment of care team, you are already familiar with clinical settings and your technical teams keep you appraised of equipment and operational issues in various departments. Don’t assume the understanding you have is current or complete. Take some time with clinical leaders to get an update and maybe dig a little deeper. Ask which equipment they want to replace and why. Which equipment worries them the most. Which equipment frustrates their staff? Any equipment physicians refuse to use? This will help you tailor your discussion to their specific needs and give you some angles to demonstrate how cybersecurity aligns with their objectives. Bring up your concerns about aging technologies or equipment reliability. Sprinkle in a few operational statistics that may be useful in replacement justification statements. A good conversation will enrich the understanding for both of you.
Focus on business impact: Frame the discussion around the potential clinical care impacts of various medical devices. Cyber is a failure mode that defies the predictability of engineering. Provide an asset list that includes helpful decision points. Include device type, safety risk score, asset age, OS status, vulnerability score, maintenance costs and replacement cost. These details can provide reminders or details to have discussions around. Patient care delivery is a clinical leader’s primary focus and not asset management or maintenance operations. Simplify your key points as much as possible. If the department has hundreds of devices, consolidate the list and include equipment counts. Simple graphs or pie charts might be a good way to convey risk distribution. Discuss which equipment is most critical to care delivery and which equipment is most at risk for failure that will interrupt the ability to provide those services. Ask how they might plan to continue to deliver care without specific critical equipment. What is the response and recovery plan? Cyber is just another failure mode. You have a plan if a CT tube pops. What’s the plan if that same CT gets ransomed? Discuss how cyber events may impact equipment and how you are going to react. If IT calls and says an MRI was just accessed from Korea, do you cut the connection? Consider how you can help. Do not make the conversation so much about cyber as about operational resilience for continuing to ensure the ability to provide patient care.
Editor’s Note: This is Part 1 of a two-part article. Part 2 of this article will continue the discussion with additional tips and techniques to bring cyber into the medical device capital planning process.
Phil Englert is the director of medical device security for Health-ISAC.
