“It’s a moving target.”
There’s perhaps no more fitting description of the challenges leaders face in safeguarding data. Not only because of the new vulnerabilities constantly entering the environment, but because of the sheer volume of tools out there, said Jonathan Langer, CEO of Medigate, during a recent panel discussion.
“There are more and more devices being connected to the network,” noted Langer, who spoke along with Steve Dunkle, CISO and Geisinger Health System, and Brian Sterud, CIO at Faith Regional Health Services. And that penetration, combined with the diversity of available devices, is “creating a new problem.”
Though it’s undoubtedly a sizable challenge, it’s not an insurmountable one. The first step, he said, is in assessing the level of risk. And while there isn’t a standard that can be applied across the board, leaders can lean on a “common framework” that combines two critical factors: probability and impact. The former focuses on the inherent vulnerabilities of devices, factoring in compensating controls as well.
The latter is where it gets a bit trickier. Leaders need to determine how a device’s clinical impact is measured, how it can affect patient safety and privacy, and how it can affect potential revenue for the enterprise as a whole. “It’s knowing what the device is doing and what its identity is,” Langer said. “That’s something folks are having trouble with.”
Dunkle agreed, adding that doing a comprehensive asset inventory should be an immediate priority. “It’s hard to do an effective risk assessment if you don’t understand what you’ve got, and that’s an ongoing challenge for us.” And it can’t focus solely on devices; rather, it should include anything that connects to the network.
Enforcing that, however, can prove difficult.
That’s why Faith Regional, which is an Epic customer, has implemented a policy that if a device has anything to do with patient care, it is managed by a mobile device management tool. “That’s how we address it to make sure it is secured properly and walled off properly,” said Sterud.
The difficult part? No matter how many guidelines or requirements are put into place around mobile access and device management, “It’s in the hands of the person using the device,” according to Dunkle. “Fortunately, a lot of the mobile device manufacturers are starting to put some controls in place, some of which can be integrated with our organization controls.”
Another hurdle leaders come across is when the security team isn’t notified of purchases until after the fact, which makes it all the more difficult to defend against vulnerabilities. On the other hand, if devices are assessed before joining the network, security concerns can be voiced during the procurement process and weighed in as part of the scoring of a potential vendor, said Langer. That way, the supply chain and security process can stay “buttoned up,” which is critical from an enterprise security standpoint.
Of course, security is only one piece of an organization’s overall strategy, and it certainly isn’t the biggest. What it can’t be, according to Dunkle, is the thing that gets in the way of other priorities.
“You have to work within the business to find the right balance,” he said. “Part of it is understanding the risk, and the other part is acceptance, made in the right jurisdiction.”
That, however, doesn’t happen if strong partnerships aren’t in place, according to Sterud. “There has to be that ability to talk about gray areas and work together to accomplish things. If you can’t have productive conversations and partner with your clinical and financial teammates, it’s hard to get anywhere.”
Another critical piece is awareness. At Faith Regional, where Sterud assumes cybersecurity responsibilities in addition to being CIO, educating end users is a key focus. But it goes beyond that; users are encouraged to come forward if they come across anything that doesn’t feel right.
Geisinger has taken it a step further by bringing a communications expert with a background in marketing onto the IT security team — a move that has paid dividends, noted Dunkle. With the increased threats that come from the proliferation of IoT devices, having an individual work with the team on how to take proper security steps and precautions has been a game-changer.
Of course, when all risk is eliminated, so are the rewards, both from a business and a patient care standpoint, said Sterud. “Nobody can function in a no-risk environment because you aren’t getting any rewards either. The ability to work with the organization and understand what risks are appropriate, where we can accept risk, and where we can put in compensating controls is important.”
Another area where risk management comes into play is when patching isn’t an option. Whether it’s for financial reasons or service issues, “sometimes there is no patch,” said Langer. It may be because the manufacturer hasn’t issued a patch because they’re going through the validation process. “You may be waiting for a long time and, even then, it may not be your first priority.”
Fortunately, with modern technological capabilities, there are other compensating controls such as firewalls that can be used to segment the device, he added. “That way you can isolate the so-called ‘problem child,’ to mitigate some of the risk.” In these cases, Langer advised a combined strategy that looks at what to remediate in terms of patching, and how to mitigate risk where a patch isn’t available.
It’s a strategy Sterud knows well, as Faith Regional is currently going through a “very in-depth process” to assess the level of risk, determining why it is high depending on the device, and understanding the options for each device. “There may be an upgrade we can do, or there may not be,” he said. “Frankly, when you’re faced with that, it’s a high risk.”
It’s not uncommon, according to Dunkle. In fact, it speaks to the challenge many organizations face. “How do you implement security controls effectively with all these moving parts and still help the business meet its objectives? It’s a double-edged sword,” he said.
Fortunately, it’s also an opportunity for CISOs and other leaders to shine, according to Langer. “What I’m seeing is that security folks are technological trailblazers within the organization. They have a second role outside of security to bring in new technologies that can benefit the entire enterprise.”
To view the archive of this webinar — Mastering Medical Device Security (Sponsored by Medigate) — click here.