When it comes to medical devices, the old adage, ‘what you see is what you get,’ doesn’t quite hold true. As many CIOs and CISOs are learning, the devices they can ‘see’ often account for a small percentage of what’s actually on the network.
That lack of visibility, according to Carter Groome, CEO of First Health Advisory, is putting organizations at risk. “It’s a quagmire,” he said during a recent panel discussion, which also featured Matt MacVey (CIO, Children’s National Hospital) and Thomas Finn (Director of Market Development, Medigate). Not only are there “massive amounts of devices” out there, but there’s also a great deal of variance among them, which can pose a significant challenge for leaders.
“The scope of the problem is greater than most people recognize,” said Finn, who estimated just 15-20 percent of organizations have invested in platforms that provide visibility and insights into what’s out there.
On the other hand, those that have made it a priority can reap the benefits, noted Groome. “When you have that information at your fingertips, you can make quicker decisions as to which assets need to be addressed, and you can respond to threats much quicker. That’s a huge step forward.”
“Confidence in knowing”
Before that can happen, however, there are some steps that need to be taken; the first of which is assessing what’s out there — and preparing to be shocked. At Children’s National Hospital, for example, more than 50,000 devices were detected on the network over a period of six months. But it’s not just about the numbers, noted MacVey. It’s knowing whether devices are managed and ensuring there are “clear lines of accountability and ownership.”
The problem is that medical devices weren’t manufactured with security in mind, said Finn, which means vulnerability scans can’t be done remotely without violating warranty provisions. “There needs to be a passive method to help get your arms around the problem,” he added, one in which information can be safely aggregated from devices and parsed directly from network traffic flows.
At the same time, it can’t be treated like a security or network issue; it must be viewed as a shared responsibility, said Groome. “There are so many stakeholders that need to be involved,” including supply chain and clinical, among others. “It’s a never-ending commitment. But if you don’t have the confidence in knowing what you have — what’s in your inventory and how the devices are behaving — none of it matters. If you’re not getting accurate data into the hands of people who can do something about it, it’s futile.”
Finn concurred, adding that although there are many different paths to remediation, they all start at the same place: gaining visibility into assets so that the right policies and procedures can be implemented.
Having this type of visibility, however, can be jarring, said MacVey. When his team implemented Medigate’s platform, they found “tremendous decentralization across the organization,” with devices being managed across different departments and divisions. It became very clear where they needed to focus their energies. In addition to creating a roadmap, Children’s created a “much more robust governance process where we’re sharing data metrics, outcomes, and approaches to what we’re doing,” said MacVey. One of the key principles was transparency, which helps ensure that the entire organization knows what’s happening, and that responsibility doesn’t fall squarely on the shoulders of IT and security.
The team, led by Nate Lesser (CISO, Children’s National Hospital), is taking the roadmap beyond the original confines. “They’re driving it in a very positive direction by explaining it and putting it into context for our clinical care delivery and our management teams, and even the board.”
Power of Metrics
The most effective way to do that, they found, is by relying heavily on metrics, particularly with labor and supply chain-related expenses outpacing reimbursement rates. It means being able to demonstrate, using data, “where we need to go from a risk posture perspective, across a variety of complex technical areas, and be able to articulate that to key stakeholders in a way that helps put a fine point on what the risks are and how we want to mitigate them,” said MacVey. Leaders need to be able to communicate not just the level of investment required, but what tradeoffs may need to happen.
To that end, Lesser and his team developed a cybersecurity risk index that describes key metrics in a way that is “digestible and understandable” by the executive team. It also enables them to track the progress of those metrics across a range of categories, and work with governance and oversight groups to make decisions as to how many devices can exist within the environment.
The ability to leverage data in the context of risk management has been “a game-changer,” according to MacVey. By publishing trends indicating a reduced opportunity for vulnerabilities and sharing the information through dashboards, Children’s is able to “tell the right story,” he noted. “As we gain a better understanding of not just the devices in our environment, but also their characteristics, we’re reminded how much we need to do in order to bring down the average time to remediation.” And by providing metrics in a risk-based context, they’re able to justify the expenditure.
This is critical, noted Groome, even for organizations like Children’s where the board has demonstrated a commitment to reducing cybersecurity risks. “When you provide objective KPIs and measures to show that the investment is actually moving the needle, that’s really important.”
MacVey agreed, adding that it can go a long way toward securing long-term investments. “These systems are so important in getting the visibility needed to identify threats and vulnerabilities,” he said. “By showing the data to our stakeholders, we can continue to build a robust program.”
Finally, it’s critical to ensure that those metrics align with the overall business goals of the organization so that assessment and mitigation becomes “an enterprise risk discussion,” noted Groome. “It has to fit in with all of the other areas in the context of risk, and what those metrics allow organizations to do. If it’s good data, it lets you make decisions on how to allocate resources. It really helps with the conversation.”
To view the archive of this webinar — Wrapping Medical Device Utilization Data & Performance Metrics in a Risk Context to Improve Threat Detection & Response (Sponsored by Medigate) — please click here.