Dec 6, 2022

Chapter 5: How to minimize the clinical risks of unsecured healthcare devices

Hospital ransomware attacks

With the explosion of connected devices in hospitals, clinical risk management requires complete asset visibility and continuous cyber threat monitoring. Hospitals need to secure vulnerable healthcare devices and systems and respond quickly to incidents in order to ensure patient safety and quality of care. 

There has been an increased cyber risk for healthcare organizations, as per 85% of IT pros who responded to Armis Censuswide survey. The concern is with cyberattacks that can lead to data breaches and operational disruption, ultimately impacting care delivery.

In this article, part of our Internet of Medical Things (IoMT) series, we look at how healthcare asset visibility and utilization analytics help to minimize those clinical risks.

Track all connected healthcare assets in real-time

Healthcare asset management involves tracking, maintaining, and monitoring machinery, equipment, and physical assets within hospitals or clinics. This market is in expansion, expected to reach $370.81 billion by 2029, a 46.9% CAGR growth from 2022, per Data Bridge Market Research.

The push toward healthcare digital transformation, including the growing proliferation of interconnected devices and systems, makes clinical asset management more challenging.

A growing number of vulnerability points expands the healthcare attack surface

Connected devices are everywhere in hospitals, from admission to discharge. Examples include:

  • Admission devices: check-in kiosks, computers and printers at the reception, smart TVs and sound systems in the waiting room etc.
  • During and aftercare: CT scanners, infusion pumps, lab analyzers, nurse call systems, drug dispensing cabinets, asset tracking systems for wheelchairs, implantable devices (e.g. pacemakers and neurostimulators), smart patient rooms with fall detection systems etc.
  • Discharge: telemedicine, remote patient monitoring kits, smart glucometers and pulse oximeters, billing and payment systems etc.

Operational technology (OT) is also pervasive in clinical environments. Fire alarms, automated doors, HVAC solutions, elevator control systems etc. all expand the attack surface within healthcare. And we can’t forget that patients are bringing their own Internet of Things (IoT) devices, such as smartwatches and even connected cars. Bring your own device (BYOD) practices among healthcare workers also increase the attack surface.

Cyber risks don’t come only from IT and vulnerable medical devices, such as legacy imaging machines with unpatched systems. OT and IoT devices are vulnerable, too, as they are often unmanaged and cannot be secured through traditional security tools such as agents and scans. According to the report State of IoT Security: A Spotlight on Healthcare, 63% of HDOs have dealt with one or more security incidents related to unmanaged IoT devices.

Patient safety is the top priority

About three out of four potential patients recognize that a cyberattack could impact the quality of care, per findings from the Armis Censuswide survey. Half of the potential patients said they were worried about an attack shutting down hospital operations and potentially affecting care delivery.

The solution? Organizations need a complete, updated inventory of all their healthcare devices and the risks they pose. With comprehensive asset visibility, you can understand where your devices are located and how they are being used. 

You can ask what type of scan a device is performing, when, and to where the data is sent. This type of information helps to identify suspicious behavior that could cause a data breach — for example, if there’s a CT scan transmitting unencrypted data or communicating with an unsanctioned server in a foreign country. With this type of insight, security teams can not only detect risks but also prioritize remediation.

Make decisions informed by clinical device utilization analytics

Clinical device utilization analytics is also critical to improving patient care delivery. With Armis, hospitals can look at device utilization heat maps to understand when and where assets are most used.

Armis Platform dashboard showing device utilization over time

Equipped with medical device utilization insights, clinical engineering teams can make data-driven decisions on how to improve the quality of care and ensure return on investment (ROI). Here’s how:

Procurement decisions

Hospitals can make procurement decisions based on data. For example, clinical teams can understand the usage and capacity of certain equipment and ask the following questions: Do we have to delay treatment due to equipment shortage? Do we need to purchase additional equipment? Why isn’t a device being used? Is it out of service or is there a decreased demand?

Maintenance planning

Knowing when healthcare assets are not used helps with scheduling downtime or preventive maintenance. Let’s say you need to perform a change management system and touch all clinical devices to repoint them to a different server. You can use insights on device and data utilization in healthcare to determine what is the optimal time to execute this process without impacting patient care.

Better staffing

Clinical utilization data also enables you to understand if your medical equipment is used to its full capacity. You can see what type of devices are used the most and when. Hospitals can staff employees accordingly to improve operational efficiency and ensure the quality of care; for example, by reshifting staff to peak times based on device utilization.

Explore more use cases for medical device utilization analytics. Watch our webinar.

What type of healthcare risk management solution do you need?

Given the nature of the medical device ecosystem, having a hospital asset management solution that can provide complete visibility across all types of devices, IT, OT, IoT and IoMT. Your solution needs to be passive, in real-time and able to understand the context across IT and biomedical silos. Traditional agent-based security tools don’t meet the needs of connected healthcare devices. 

Thanks to a passive agentless technology, Armis identifies, monitors, and secures all IT, OT, IoT, and IoMT assets in a single purpose-built platform, unifying the needs of biomedical, security, and IT teams. 

With Armis Collective Asset Intelligence Engine, which tracks over three billion assets, you can understand what each device is, what it’s doing, and what it should be doing. With enhanced clinical risk management, a healthcare facility can then better identify vulnerabilities and prioritize actions with the highest impact on patient care. 

Request a custom demo to see Armis in action.

Frequently Added Questions

What is clinical risk management?

Clinical risk management is the detection, monitoring, assessment, prevention, and mitigation of clinical risks. The importance of risk management in healthcare is to minimize risks to patient care by understanding what could go wrong and what preventive measures to take.

What are the riskiest devices in hospitals?

Building systems (e.g. HVAC) are the riskiest technology, according to 54% of healthcare IT professionals in the Armis Censuswide survey. The report also lists among the riskiest devices in healthcare: imaging machines (43%), medication dispensing equipment (40%), and kiosks for check-in (39%).

What are examples of clinical risks related to cyberattacks?

Delays in care and incorrect treatments are examples of clinical risks related to cyberattacks. A security breach could lead to data theft, device or data tempering, and operational disruption. As a result, clinicians could not access data or systems needed to deliver care. In fact, ransomware attacks have caused the rerouting of emergency patients and the postponement of surgeries.

Check out all IoMT Playbook Chapters:

  1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
  2. Chapter 2 – The Hurdles of Internet of Medical Things Security
  3. Chapter 3 – A history of medical device hacking
  4. Chapter 4 – How to mitigate ransomware in healthcare
  5. Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices 👈 you are here
  6. Chapter 6 – How to improve patient data security
  7. Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities
  8. Chapter 8 – How to spot the top indicators of compromise in healthcare
  9. Chapter 9 – The fundamentals of medical device cybersecurity 

Get Updates!

Sign up to receive the latest news

path-12-path-12-path-12-mask