Baselining security concepts for health technology management professionals

Healthcare organizations typically deploy medical device security initiatives that bring together information security and clinical engineering workflows.  While pairing IT and cybersecurity knowledge with patient safety and medical device risk management expertise ​​is important to secure and safe operations, it’s also challenging. The problem is that separate teams are responsible for disparate computerized maintenance management systems (CMMS) and IT asset management systems. Healthcare technology management (HTM) and IT teams not only manage CMMS and asset management systems using different approaches, but they also have different knowledge bases, use different terminology, and may only interact on a limited basis. This combination of factors leads to data silos, multiple versions of the truth, and increased risks to organizational systems and patients.

Addressing Challenges to Multidisciplinary Teams in Healthcare

To address the disconnect, healthcare organizations need to create baseline terminology that facilitates communication of key security concepts for clinical engineering and operation personnel. Common language will help teams correlate cybersecurity with asset management, compliance, and clinical quality.

Armis addressed how firms can do this in our Security 101 for Clinical Engineering and Biomed Professionals webinar, which featured care delivery systems expert Carol Davis-Smith, Armis’ Field CTO for Healthcare Oscar Miranda, and host Sumit Sehgal, a strategic product marketing director at Armis.

The webinar covered vital questions to consider when it comes to IT and healthcare teams working together, including:

·       How do security principles help with clinical safety?

·       What are IT and medical device ecosystems?

·       How does IT and device behavior assessment help healthcare organizations?

·       What are CVEs and how do healthcare firms address them?

·       How can IT and healthcare teams collaborate on incident response?

Read on for a quick overview of each area.

How do security principles help with clinical safety?

The IT world is guided by security principles designed to help businesses protect their data, devices, networks, and users. For example, the Center for Internet Security (CIS) advises 18 Critical Security Controls for optmizing  the protection of assets and systems against cyber threats. 

The first CIS Control  for enterprises is “Inventory of Control of Enterprise Assets.” An asset inventory is a top priority because it enables businesses to actively manage and monitor devices, including Internet of Things (IoT) and medical devices. This recommendation helps enterprises ensure control and visibility of all their assets, whether they’re physically or wirelessly connected. In addition to ensuring security, however, data needs to be readily available and accessible to end-users.

In the healthcare world, organizations typically have an established approach for maintaining asset inventories that helps them understand and manage their devices. The focus tends to be managing medical device lifecycles  and triggering maintenance if an asset goes down.

What are IT and medical device ecosystems?

An IT approach to medical device ecosystems tends to focus on securing patients information and the devices they interact with throughout their care delivery journey. For example, it protects them from the moment they are admitted to a hospital, have the treatment they require, and are discharged. An excellent example of this is self-registration kiosks, which help medical organizations free up resources and deliver clinical workflow efficiency.

Healthcare organizations are also reliant on non-connected OT and medical devices. As they add more devices to their networks, it becomes crucial for healthcare technology management (HTM) teams to have good relationships with IT.

If a system goes down or is taken offline for maintenance or to fix a fault, it could have an adverse impact on the performance of other systems, including medical devices. It’s therefore vital for IT and medical teams to have a collaborative understanding of how each other’s processes and systems work.

How does IT device behavior assessment help healthcare organizations?

IT security teams typically operate by assessing medical devices and systems for anomalous behavior. This process works by establishing a baseline of regular activity that allows security teams to identify deviations, including devices that repeatedly go offline and back online or unusual traffic spikes. Such activity could indicate malicious threats like a potential data breach or ransomware that need to be addressed by security operations teams.

HTM teams also monitor the behavior of their medical devices, but they are more focused on drops in activity that could indicate performance issues or failures. Utilization is an increasingly important focus for biomed professionals, who are always looking for better methods to measure and utilize device behavior. So the combined knowledge that IT and security teams bring to the table can help medical organizations develop more effective cyber strategies.

What are CVEs and how do healthcare firms address them?

The Common Vulnerabilities and Exposure (CVE) Program shares a public list of known vulnerabilities in computer security systems, code, and software. A vulnerability is a flaw or weakness in code and software that can result in a data breach, while an exposure refers to a misconfiguration or one-off security event.

All reported CVEs are given an ID number that enables organizations, researchers, and vendors to easily track knowledge associated with the flaw. CVE knowledge is crucial to helping healthcare teams securely deploy and manage new technology and connected systems.

A crucial part of analyzing CVEs is including legacy  devices that haven’t traditionally connected to other assets and networks, which leaves them vulnerable to cyber-attacks. Their firmware is also susceptible to medical device security vulnerabilities and typically has limitations on patching and installation of security software. As a result, CVE issues affecting these types of devices, such as pacemakers, could be susceptible to attacks thereby affecting quality of care.

How can IT and clinical teams collaborate on healthcare incident response?

The ability of IT security and HTM teams to collaborate is directly affected by the different terminology and approaches used by each team. An approach that is clinically strategic but technologically tactical is essential. Part of the challenge is aligning the understanding of HTM teams on key security team terms like emergency, event, and incident. They then need to ensure workflow impact and operational context flows freely between teams to encourage more effective collaboration and sharing.

Healthcare professionals and IT and security teams can learn from each other when it comes to incident response:

• IT teams help organizations detect, contain, and recover from cyber-attacks, and help them understand the importance of network design.
• Healthcare teams can help IT and security understand the clinical context and impact of devices being switched off.  

By placing greater focus on post-event activity, healthcare organizations can better understand whether the right processes are in place to keep their patients safe and their devices secure.

Collaboration is key to healthcare security

Collaboration and data sharing between IT security and HTM professionals is crucial in improving the effectiveness of healthcare incident response and recovery. By working together, the teams can ensure medical devices work as expected and don’t suffer unscheduled downtime or maintenance that puts patient safety at risk.

Discover the keys to helping security and medical professionals work together.

The Armis Platform for Healthcare is the industry’s most comprehensive asset intelligence platform. Learn how you can get complete visibility and maximize security across all managed or unmanaged medical devices, clinical assets, and the entire healthcare device ecosystem.

Related Articles:

• IoMT Playbook – Chapter 1
• Choosing and Using Healthcare IT Metrics and KPIs for Medical Device Security