By K. Richard Douglas
While there has been an evolution in the HTM/IT/IS ecosystem that has produced hybrid and specialist positions, the challenges that overlap the professions remain abundant.
The focus of these departments intertwines frequently and the goals of each group – to protect the integrity of the network, patient safety and hardening the ever-increasing surface of modern-day health care systems – unites all parties under a common umbrella.
The roles of HTM and IT/IS require something of a balancing act. Both are critical to the facilities they serve, but often they have methods or protocols that conflict. As the universe of IoMT and IoT continues to expand, and devices containing patient protected health information (PHI) evolves, the need for collaboration across the groups is critical to workflows and cybersecurity.
Today, it’s not enough to maintain the hardware and software of devices on the network. The perils posed by threat actors exploiting any possible vulnerability is continuously growing. That threat can target any medical device that has an operating system as well as any device that may connect to the Internet through the facility’s access points.
For this reason, mitigation of threats is paramount and awareness of the entire surface that is vulnerable must be known to HTM and IT/IS and written protocols must be followed precisely.
The methods used by cyber threat actors continue to grow as well. Collaboration between departments is key and any tips or insights to enhance and bolster that effort should be pursued.
But what happens when circumstances outside of HTM’s control prevent the biomed department from being able to complete a project, or install a device on the network, because IT/IS will not approve it?
The HTM Perspective
While many goals and objectives of IT and biomed are closely aligned and many procedures are more standardized across both groups, the safety protocols that IT requires can often be frustrating when it encroaches on areas outside of biomed’s control. Other times, availability might hold up projects.
Obsolete legacy platforms, that no longer receive security updates, have caused many problems. There have been several operating systems that have faced this inevitability in recent years.
There was a time, not long ago, when most ATMs still ran Windows 7. Before that, many ATMs ran on Windows XP. These systems were in place even after they were considered obsolete. So, it comes as no surprise that this scenario may also impact biomeds who have the best intentions.
Hosameldin “Sam” Elsemany, CCE, CBET, a clinical engineer in the department of clinical engineering with UConn Health has dealt with a related issue in the NICU area.
“We are scheduled to go live with integrating our NICU bedside monitors with Epic and our network security team is refusing to connect the Philips server to the hospital since it has Windows 2008 OS,” Elsemany says.
He says that there were a couple of options to connect the bedside monitors to Epic.
“One option was to connect each bedside monitor to the network via HL7 middleware, but we couldn’t use that option because our bedside monitors are end-of-life and the serial port, needed to connect to the middleware, was not available to order,” Elsemany says.
He says that the second option was to connect to the network via the Philips gateway server, and as mentioned, the server has W2008 and was never patched in the past.
“Now we are exploring the possibility of patching the server, putting it behind a firewall, and segmenting it on the network until the whole bedside monitor system is replaced/upgraded,” Elsemany says.
He says that although it is very expensive to upgrade the NICU monitors and it was not on the hospital’s radar to purchase this year, due to supply chain issues, Philips has a lead time of 10 months to deliver the new monitors/server if they were purchased in May of this year.
“That limits our options to connecting the outdated server to the network with all associated cybersecurity risks,” Elsemany says.
“One tool we found very useful in mitigating and monitoring medical device cybersecurity risks is to use a healthcare security platform software application. The application monitors all devices connected to the hospital network, provides detailed reports of the risk level associated with each device and recommends how to mitigate those risks,” Elsemany adds.
He says that it is then up to the CE team to work with the hospital network security team and vendors to patch the device or make network changes to alleviate the risks.
“We invested in that software last year and it was a great step in the right direction towards creating a CE device cybersecurity program,” Elsemany adds.
Elsemany says that regardless of the efforts taken by in-house CE/IT to minimize cybersecurity risks with medical devices, there will always be medical devices that received 510K clearance with now outdated operating systems such as Windows 7 and XP.
“The vendor won’t have patches for those systems and CE must work with the IT team to find ways to reduce risks with those systems. CE must also have a plan to replace those systems in the near future to eliminate the risks,” he says.
Aged operating systems provide a perfect illustration of when all parties want to do what is right, but collaboration is needed to explore all options.
“Concerning some of the frustrations, it is important for HTM professionals to have a basic understanding of the job requirements of the IT/IS cybersecurity department. In my experience, they are not intentionally making things difficult in the installation, implementation or security management of medical equipment. It is extremely important for HTM departments to understand the ‘why’ behind IT/IS requirements for connected medical devices,” says Mike Busdicker, MBA, CHTM, FACHE, system director of clinical engineering at Intermountain Healthcare.
He says that once biomed understands the requirements, it becomes imperative to be imbedded in the process and work collaboratively toward solutions.
“There cannot be an ‘us and them’ mentality or we will hinder the ability to implement a program that benefits the patients we serve and the overall health care environment. There are a lot of bad players out there and we need to be on the same page in order to protect our organizations, caregivers and patients,” Busdicker says.
He says that recently, their HTM department was struggling with the disabling of ports on their laptops because of cybersecurity risks.
“This hindered the ability to download service software and connect to medical devices for calibration and troubleshooting. Our HTM medical equipment security team worked with the IT/IS cybersecurity team to establish an exemption process that would meet the requirements of both departments. This is an example of both departments working together to develop a solution to meet the needs of the health care system,” Busdicker adds.
The IT/IS Perspective
Some IT/IS security professionals clearly recognize the challenges placed before HTM because of the extraordinary advances in technology during the past decade.
“The HTM field is changing as more and more medical devices are relying on microchips, an underlying off-the-shelf operating system and network/EMR integration. There is so much more to the HTM field than there used to be 10 years ago. Preventative maintenance is still critical, but there are so many more elements that can impact the clinical efficacy and the safety of devices on the network,” says Ali K. Youssef, director of medical device and IOT security, information privacy and security office at Henry Ford Health in Detroit.
He says that IT team members have had years to hone their skills and mature frameworks and processes for dealing with cybersecurity.
“Institutions like ISO, NIST and others have helped pave the way. IT teams are generally not mature in dealing with IOT and medical device security issues, or even understanding the medical device life cycle,” Youssef says.
He says that some of the most common gaps in IT systems are:
- Poor IOT/medical device identification and classification. The traditional tools do well with identifying servers and workstations, but do not address IOT/medical devices very well.
- There is not an automated mechanism to sift through the thousands of ever-growing known vulnerabilities and correlate them to the IOT and medical device inventory connected to the network.
- There is not a clear automated way to gauge the risk associated with each vulnerability and boil down the most important devices to focus on.
He says that in order to deal with these challenges, people and processes alone are not sufficient.
“We need to rely on technology, and more specifically medical device and IOT security management tools,” Youssef says.“Without these tools, the task of understanding and remediating risks associated with medical devices is extremely difficult and time consuming. Understanding and sifting through the volume of vulnerabilities coming out on a daily basis manually is a poor use of time and resources,” Youssef says.
Youssef adds that from an healthcare delivery organization (HDO) standpoint, medical device and IOT security can be aligned around existing cybersecurity programs.
“There are some key things to be aware of when we’re dealing with medical devices on the network. Passive security scanning is as far as one can go in order to avoid impacting the functionality of a given medical device. The devices often do not integrate with active directory and do not support AV or EDR. Minor changes can be made to existing HTM policies to include a security focus. For example, requesting security documents like the MDS2 and SBOM from the medical device manufacturers, prior to procurement, ensuring that there is a focus on cybersecurity as a part of the preventative maintenance and ultimately ensuring the devices are wiped appropriately during the decommissioning process,” he says.
Youssef points out that scenarios will arise where a medical device may require a firmware patch due to a known vulnerability. Assuming a patch is available from the manufacturer, in many cases HTM departments have to quickly find the devices and install the patch on a device per device basis.
“Some of the newer medical devices allow for centralized management, but unfortunately the majority of medical devices in use throughout health systems are anywhere between 10 to 20 years old. Having the ability to bring in staff augmentation to help quickly for these types of scenarios is important and can help to prevent staff burnout,” he says.
Youssef says that as HDOs focus on medical device security, it is becoming increasingly important to have dedicated teams focused on this area that can speak the language of IT and HTM.
“The trend toward cross training HTM on IT principals and vice versa continues to be critical. The Configuration Management Database (CMDB) and CMMS need to have some level of integration in order for each to enrich the data of the other. The goal of both departments is to improve patient safety and promote the confidentiality, integrity and availability of medical devices which requires cooperation from both teams,” he says.
Challenges and Realities
There are some challenges that are likely to frustrate HTM when either timing or technology limitations are obstacles to repairs or maintenance.
“It is hard for the standard IT desktop/application team to understand that medical devices using common operating systems cannot just be ‘patched.’ A patch could have an ill-effect on the medical device application side of the device. If there is a vulnerability with the OS, the device should be segmented or placed behind a dedicated firewall. Both sound easy when you read and think about it, but configuration, testing and deployment all need to then occur. Time, money and other resources are required. However, segmenting and firewalling could be a faster solution than a patch that needs to go through FDA validation,” says David Soffer, manager of the medical device IS specialist team at WellSpan Health.
Occasionally, HTM will also face challenges because of storage trends when adding new equipment to the network or making replacements.
“The cloud is here, and devices are sending data up ‘there.’ We have devices that send to the vendor’s cloud space. Data is collected and then available for review and analytics. Our IT security team reviewed the cloud server connections from the vendor documentation and allowed the IP and port for communication. As we acquire equipment, it goes through a very large technology assessment. That way all technical teams involved, along with the customer and vendor, can discuss options, challenges and solutions that are available,” Soffer says.
He says that in the IT world, a great defense comes with a great offense.
“If we set up the device accordingly, to make it as secure as possible, there should be minimal issues with connectivity. Unfortunately, it always seems the dark side of hacking and finding OS holes is faster than our defense,” Soffer says.
Is there any way to streamline the permissions required by IT when new equipment is placed on the network?
“As mentioned above, we perform a technology assessment with the vendor pre-purchase for new medical equipment being requested. The vendor is provided the form in advance so their appropriate teams can answer the questions,” Soffer says.
He says that the questions focus on network connectivity, server requirements, application deployment for workstations and so on.
“There are also questions about special power, ventilation, fluids such as steam or water, consumables, user training, etc. There is even more to the form which provides information needed in advance to provide a successful purchase, installation and user deployment. The days of devices just showing up because someone was able to sneak a PO through the purchasing system are long over. Working together provides a successful outcome,” Soffer adds.
What if the system is down and the part being replaced needs to be re-registered on the network and it is off-hours?
“This is your worst-case scenario question. Like a CT reconstruction computer goes down and the vendor is working with the local hospital on-call imaging technician. But then the on-call tech realizes the new computer will not plug right into the network because it is DHCP reserved IP. Now the network team needs to be called so someone can update the switch port with the new MAC address of the reconstruction computer. Am I far off from a real-world situation?” Soffer asks.
He says that luckily, he does have on-call procedures, escalation trees and IT managers that rotate on-call.
“Everyone likes to think they have the worst of the worst figured out for afterhours coverage, but it doesn’t always go the way it has been planned. If we have a system outage, we have an escalation process that brings teams and leaders together on a live call. This is like a verbal incident command where staff are reporting in, leaders are making decisions and work is being tasked. Having the live communication with real-time decision making and feedback is a seamless way to work through and eventually solve issues,” Soffer says.
Busdicker says that within his health care system, they have an IT/IS team dedicated to the cybersecurity of the organization and there are caregivers within the HTM department focusing on medical equipment.
“These two teams meet routinely, communicate constantly and work collaboratively to ensure we are fulfilling the requirements associated with medical equipment security and data protection. To bridge the requirements, and ensure a safe environment, these teams need to be on the same page with the same end goal in mind,” he says.