Never has one little letter made such an enormous impact as when the Internet of Things (IoT) expanded into the Internet of Medical Things (IoMT), and devices and applications existing both inside and outside the hospital (and even clinic) walls became connected. For IT and security leaders, it presents an enormous challenge in safeguarding the network — and along with it, patient data — without sacrificing usability.
“The balance is really tough to strike,” said Christopher McKay, Director of Nursing & Clinical Workflow Specialist with Imprivata. “Without security, you have no firewalls to the EMR. These devices aren’t just out there; they’re connected. You need security, but you need to be mindful not to disrupt workflow.”
It’s a complex topic, for many reasons. During a recent webinar, McKay discussed the components of a solid IoMT strategy, along with Ron Mehring, CISO at Texas Health Resources, and Arthur Ream, Senior Director of IT Applications and CISO at Cambridge Health Alliance.
What makes it so challenging is the fact there’s so much “gray area,” noted Ream. IoMT encompasses not just biomedical equipment within the hospital, but remote monitoring devices issued to patients, consumer-facing apps, and so much more. “The scope is already large, and it’s only going to expand.”
For CISOs and other security leaders, the task of defending entry points — and safeguarding patient data — is becoming incrementally difficult. “As devices like vital sign monitors become connected, the pathway to the EHR changes, and we need to think about where that data is landing,” said McKay. “The four walls we used to work in have been ripped down.”
And as the environment changes, so must the approach leaders take. During the webinar, the panelists shared their experiences in the new IoMT world, and offered advice on how to face some of the more daunting situations.
Below are some highlights from the discussion:
- It’s a whole new world. Make no mistake; from the diversity of devices on the network to the complexity of the architecture, this is a very different animal in terms of security needs. What worked before simply isn’t going to work going forward, said Mehring. “In the traditional IT setting, you had servers, work stations, and mobile devices. Medical devices have different protocols and different ways of communicating. For leaders, the focus must be on controlling data flow, and ensuring we can effectively monitor for anomalies around those devices.”
- Patching problems. Another unique aspect of medical devices is that diagnostic tools tend to be highly regulated, which presents hurdles when it comes to patches and upgrades, as well as virus protection. What that means, said Ream, is that even if a device isn’t compliant, it’s still off limits in some cases. “You need a dynamic, real-time way to segment that while still allowing critical use of devices—and not impacting the network. It’s a challenge for healthcare IT and security teams,” he noted.
- Hide and seek. It may sound simple, but keeping an updated inventory of where devices are located and whether they’re securely connected, is often anything but. One way to do this is to track devices as they move from one access point to another, said Ream. “If you have the technology, you can program a widget with the floor plan on it to track devices.” But it’s not just about finding a device; it’s ensuring adequate controls are in place.
- Reporting structure. Another way to make the inventory process more efficient? Create a structure in which bioengineering reports to IT, said McKay. “It just makes it so much easier.” Ream agreed, encouraging attendees to “push for” this type of arrangement.
- Seamless experience. The ultimate goal is to create a seamless experience for users, whether they’re accessing data from a medical device or a workstation, noted McKay. By offering the ability to tap in and out using a badge, Imprivata is working to remove steps that can lead to frustration — without compromising security.
- Safety first. Perhaps the most practical piece of advice came from Mehring, who said any conversation about device security has to start with safety. “When you start by talking about patient safety, the discussion is very different,” he said. “People are much more receptive.”
- Clinical talk. Also important, according to Ream, is ensuring that information is presented in a way that’s timely and clinically-focused. “A lot of times we talk in terms of numbers and we don’t understand the workflow that happens from a provider standpoint,” he noted. “It’s about timing and accuracy, with safety layered on top of that. If you can provide that in an integrated solution, clinicians will perform better and patient care will improve.”
- Thoughtful change. Leaders need to understand that something as simple as increasing password complexity can have a big impact, said Ream. “When you operate in siloes, and make changes that are aggressive or lack thoughtfulness, it will backfire. You need to be methodical. You need to think about how the processes and controls you’re putting in will impact workflow. You need to think about how a solution is going to be used on the floor.”
Finally, leaders need to avoid the common trap of letting fear dictate the security strategy. “Develop sound threat scenarios based on your environment, and let them guide your priorities,” said Mehring. “Don’t chase headlines. Chase the things you need to get done in your organization.”
To view the archive of this webinar — Building a Comprehensive Security Strategy for Network-Connected Medical Devices (Sponsored by Imprivata) — click here.