healthsystemcio.com

healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.

  • Subscribe
  • Advertise
  • About
    • Our Team
    • FAQs/Policies
    • Podcasts
    • Social Media
    • Contact
    • Privacy & Data Protection Policy
    • Terms of Service
  • Advisory Panel
  • Webinars
    • 6/2-Training Clinicians on Key Apps
    • 6/7-Ensuring Cloud Security
    • 6/14-Leading Remote Workforces
    • On-Demand Webinar Library

  • Subscribe
  • Advertise
  • About
    • Our Team
    • FAQs/Policies
    • Podcasts
    • Social Media
    • Contact
    • Privacy & Data Protection Policy
    • Terms of Service
  • Advisory Panel
  • Webinars
    • 6/2-Training Clinicians on Key Apps
    • 6/7-Ensuring Cloud Security
    • 6/14-Leading Remote Workforces
    • On-Demand Webinar Library

“The Dynamic Has Changed”: Managing the Growing Challenge of Connected Devices

06/04/2021 By Fred Bazzoli Leave a Comment

Todd Greene, VP & Enterprise CISO, Atrium Health

Cybersecurity vulnerabilities have haunted healthcare IT security executives for years, especially when it comes to protecting medical devices and other assets linked to internal networks or the Internet.

The problem is extensive, as large healthcare systems typically have thousands of devices, often from hundreds of manufacturers, in use — many of which are several years old, running off old software platforms that are difficult to protect. The growing challenge of protecting medical devices and ensuring the integrity of a provider’s internal networks was the topic of a webinar entitled, “Leveraging Risk Management as a Cornerstone of Your Connected Assets Security Strategy.”

A critical factor in this battle is the large number of devices that connect to hospital networks. These can range from laptop computers used by clinicians to smartphones, Internet of medical thing (IoMT) devices, smart TVs, and even vending machines, said Kristopher Kusche, VP and CISO at Albany Medical Center, a five-hospital system based in upstate New York.

Managing the multiplicity of devices is made more challenging because of the ease with which they connect to hospital networks, either directly by cables, or increasingly through WiFi or Bluetooth, Kusche added.

Further complicating the matter is the fact that more of these devices are being used “outside the four walls of the hospital,” said Jonathan Langer, co-founder and CEO of Medigate, largely for telehealth and remote patient monitoring.

Todd Greene agreed, adding that wireless connections have expanded the footprint for vulnerability. “Wireless is quite ubiquitous in any organization, and trying to figure out how to protect networks is a big issue,” noted Greene, who is VP and enterprise CISO for Atrium Health, one of the nation’s five largest health systems.

Executive involvement

Kristopher Kusche, VP & CISO, Albany Medical Center

As healthcare organizations make decisions on purchasing these smart and connected devices, it’s important for IT executives to be involved in the process, particularly to ask pointed questions about security protocols and whether they can transfer patient data to the cloud, he said. For example, when Atrium wanted to standardize on one brand of infusion pump across its system, IT provided its security perspective on the purchase of potentially thousands of the devices. That included subjecting the top candidates to penetration testing to ascertain whether manufacturers’ claims could be verified.

At Albany Medical Center, a biomedical security program is in place that mimics what the health system uses to assess and mitigate risks through its IT security program, “and that begins at acquisition, vetting the solution and going through a risk assessment process, even before it gets into your environment,” Kusche said.

Beyond that, IT departments need special awareness of the potential risks and, in many cases, their lack of sophistication in managing the vulnerabilities, he said. “We understand that our typical IT toolsets can’t handle medical devices in the way we need to; we do use technologies that allow us to have a real-time view into these devices. You have to understand they are a little different and then compensate for those differences,” he noted.

This is where microsegmentation – a practice that puts medical devices on networks that don’t connect directly to the backbone supporting major IT systems – can offer an effective layer of protection, according to Greene. For some classes of devices, “we have elected to firewall those off and restrict them to only the access they need to have,” he said. His department also amps up oversight of any devices that send data to the cloud.

Management by committee

Both Albany and Atrium use committee structures that review security practices. Pulling participants from across the organization, these panels review medical device vulnerabilities and can make tough recommendations on practices, mitigating some of the backlash that IT departments might face from always having to nix actions because of security concerns.

Jonathan Langer, Co-founder & CEO, Medigate

IT departments often are left to manage these complex device challenges with few resources, said Langer. “Security patching is hard because of the diversity of devices, and it’s a whole process – not just technology – that systems need to go through to ensure that vulnerabilities are remediated.” Security patches are hard to come by because device manufacturers often contend that they may expose them to reconfirming that the new programming doesn’t compromise the device and patient safety. Greene said that position is often an excuse used by device manufacturers, and more needs to be done to ensure timely release of security-related patches for devices.

Large providers need to band together to talk to vendors about getting needed security patches faster, Langer noted. “Several of our customers have worked together in a collaborative approach with vendors to get better outcomes – that changes the dynamic. Some forward-leading manufacturers understand that the dynamic has changed.”

The key nowadays is to have a strong security foundation, Greene concluded. “We’re trying to build cybersecurity at the foundation, so it’s constantly at the forefront of our minds; it’s built into each one of those steps, so that onboarding is really a risk review. If data is being sent outside the organization, let’s get the data governance office involved. And we also have a risk management strategy that is uncovering risks associated with connected devices.”

To view the archive of this webinar — Leveraging Risk Management as a Cornerstone of Your Connected Assets Security Strategy (Sponsored by Medigate) — please click here.

Share

Related Posts:

  • Real-World Management of Medical Devices
  • Leveraging Risk Management as a Cornerstone of Your Connected Assets Security Strategy
  • A Blueprint For Growing Leaders
  • The Golden Rules Of Managing Email
  • Building a Comprehensive Security Strategy for Network-Connected Medical Devices

Filed Under: Cybersecurity, Device Management, Featured, Interviews, Remote monitoring, Risk Management Tagged With: Jonathan Langer, Kristopher Kusche, Medigate, Todd Greene

Share Your Thoughts Cancel reply

You must be logged in to post a comment.

To register, click here.

Content by Topic

Partner Sponsors

 

.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2022 HealthsystemCIO.com.