Most healthcare IT leaders know that the key in making any type of initiative successful is to strike the right balance of people, process, and technology. If any of these factors are neglected, it can put the entire project — and even the organization — at risk, especially when it comes to security. And more specifically, protecting network-connected devices, something that’s becoming increasingly difficult as the environment becomes more crowded, and more complex.
What that means is CIOs, CISOs, CTOs and others are tasked with protecting a network when they don’t (and can’t possibly) know everything that’s on there. It is, as Chuck Christian put it, “scary.” At the recent CHIME19 Fall CIO Forum, Christian served on a panel along with Wes Wright (CTO, Imprivata), Cara Babachicos (CIO, South Shore Health System) and Mick Murphy (CTO, WellSpan Health) that explored the IoMT Security Conundrum, and discussed ways in which organizations can keep data safe without disrupting clinical workflow.
Although many of the same principles used with traditional cybersecurity strategies can be applied, there are unique concerns when it comes to the Internet of Medical Things (IoMT), starting with the fact that each device represents a potential point of exposure for patient data.
“They come with operating systems embedded in them,” said Wright, which marks a significant change for IT departments that had been accustomed to managing software, rather than inheriting it. And the list of devices that fall into the IoMT category is impressive, from Apple Watches to biomedical devices to refrigerators.
“If you look at pacemakers and infusion pumps, we’re programming those and putting in patient information every day,” noted Christian. “We can’t protect them when there are attack vectors on our network. That’s what bothers me.”
But because there’s also a tremendous upside in being able to capture vital signs, identify trends, and make critical decisions without a patient always having to be physically present, leaders have to find a way to secure the data.
Below are some of the best practices that were shared during the panel discussion:
- Assess the environment — often. “We’ve made an effort as we bring in new devices to know what operating systems they’re running and making sure they’re at least contemporary,” said Murphy. However, “We’re limited as to what we can do to secure the device itself,” which may or may not be FDA-regulated.
- Use segmentation. Wright recommends getting biomedical devices onto their own network, and building firewalls so that traffic can be controlled. “For the longest time, we did network segmentation based on traffic. We need to do the same thing, but throw IoMT into the mix,” he said. “We have tools in place to be able to identify what’s on the network. We need to use them to perform good hygiene,” which means finding devices, segmenting, hiding them if necessary, and scrambling the servers in the event of a known vulnerability.
- Remediate when possible. Unfortunately, it isn’t always that simple. At South Shore, Babachicos’ team implemented a solution to interrogate the network and identify which operating systems devices were using and whether they’re being patched, and shut down parts if needed. But with some vendors, “you can’t remediate their devices, and so you have to find other ways to manage them.”
- Partner with clinical engineering. Although clinical engineering reports to the CIO in some organizations, it’s not always the case. But no matter the structure, “you need someone who really understands the space” and can partner with C-suite leaders,” said Christian. “It’s not about turf; it’s about protecting the organization. If you don’t have a good relationship with those folks, create one. They can be great partners — not just around security, but integrating these devices that are going to be feeding into the EMRs.”
- Share responsibility. Which assets belong to which departments? It’s a question that can cause a lot of disagreements, and it’s the leader’s job to nip it in the bud. “If it has an IP address, it has to be managed centrally,” said Wright. Christian agreed, adding that the same should go for all connected devices, including the command and control system for HVAC. “If they’re on the network, they need to be segmented off, and we need to know what’s on them.” He recommended creating a governance structure in which all parties know which devices have an IP address, where they’re located, what OS it’s using, and whether it can be patched. “It’s not easy to do, but it’s doable,” he said.
- Do your due diligence. In an ideal world, no device would enter the network unless it’s certified, and due diligence has been performed on the organization and its security hygiene. But in hospitals, where physicians who bring in millions in revenue each year have authority, CIOs are at a disadvantage. That’s why Babachicos is going further back in the chain and ensuring devices are certified before a purchase order is even generated. “If it falls under a certain classification or sends up a flag, we have to make sure security is reviewed,” she noted, adding that a system of check and balances is absolutely critical. “You have to do that interrogation. You have to make sure the vendor is willing to cooperate and do patches and work with you through the life of the equipment.” If they’re not, perhaps it’s time to reassess.
- Create a solid software approval process. When a new piece of equipment enters the environment, leadership must be kept informed, or patient safety could be jeopardized, according to Murphy. “We have to know where it is, how it got here, when it got here, and what maintenance has been done on it. You can’t have a lack of knowledge on these devices.”
Finally, don’t lose sight of the end goal: leveraging technology to transform the patient experience and improve care. “Because of IoT, we now have the ability to move seamlessly from one environment to the next,” said Babachicos. “We can monitor patients, look at the data, and make critical decisions without them leaving their home.”