How health systems can leverage their buying power for safer medical devices
Photo: Medigate
CISOs and CIOs know all about plugging holes to prevent cyber criminals from entering their networks. One of the biggest and most enduring sources of these holes is medical devices, of which there are countless in a hospital or health system.
Provider organizations have been at the mercy of medical device manufacturers and their security practices. This has long been a source of frustration as many devices are designed and built with poor security practices in mind and very little ability for IT to remedy known and emerging security issues.
Healthcare IT News sat down with Samuel Hill, director of product marketing at Medigate, a healthcare cybersecurity and asset management company, to discuss the problem of medical device security, leveraging buying power with medical device manufacturers, and buying devices that lower risk.
Q. Why is medical device security such a major problem?
A. With so many things that connect to the healthcare network, the resulting environment is volatile and dynamic. Devices move, and their connection points change, so security policies must be agile enough to be consistent in their effectiveness no matter how and where they connect.
The significant threat is that a device becomes compromised and negatively impacts patients. The combination of poor device security and inadequate healthcare organization controls drives the central problem in device security we see today. Whether that impact is stolen patient data or impeded care, neither outcome is acceptable.
Medical devices are inherently insecure, and while there have been some recent gains in this area, most healthcare organizations still have thousands of risk-exposed medical devices. It can take years for a known vulnerability to receive a software patch. The healthcare organization has to use compensating controls to keep these devices with known issues from being weaponized by bad actors against them and their patients.
Additional challenges arise from gaps in knowledge about the devices and their use. Without a clear understanding of what connects to the network, valid and prescriptive security policies are impossible. Unfortunately, many healthcare organizations simply do not have the detailed knowledge about what devices are connected and those that aren't, making securing them nearly impossible.
Q. The large amount of money healthcare provider organizations spend on medical devices every year should give them enormous buying power. Do providers know enough about the devices and how they are used and secured to leverage their buying power in their negotiations?
A. Typically, healthcare organizations use their buying power to negotiate better pricing for the fleet of devices. While this is undoubtedly a necessary and good thing, they may not account for the opportunity cost or risk associated with device security. With more information about a specific device and the fleet it belongs to, the healthcare organization can look at general trends to inform their purchasing decisions.
One key trend to look at would be device fleet utilization. On average, an IV pump sits idle about 58% of the time, so more efficient utilization of existing equipment can help reduce the need to buy more.
Utilization rates of different models of the same device type can also hint at frontline staff preference. Consolidating multiple device types based on frontline preference will improve efficiency and increase overall healthcare organization buying power.
Another trend to note is the number and severity of known vulnerabilities and exploits for a particular device. I would argue that one of the more powerful ways healthcare organizations can leverage their buying power for the good of their organization would be to select more secure devices.
This financial pressure on the device manufacturers will hopefully drive a higher level of security for their devices from the get-go.
Q. You've said to better secure medical devices, provider organizations should choose to buy devices that lower risk. How do the organizations go about this?
A. Without knowing the overall security impact of a device, it is hard to select more secure ones. It comes down to having the correct information in the right location to impact the decision process. By applying the fundamental work of collecting accurate device information on the network and potential devices, healthcare organizations can make better decisions.
In addition to looking at the MDS2 forms for each device, understanding the known CVEs or recalls will guide long-term investment strategy. Each of these data points is useful, but the healthcare organization should take the extra step to ingest this information to be usable in their decision-making process.
An example would be the ability of a device to be patched. Some manufacturers require their technicians to apply a software or firmware patch, which can add lengthy amounts of time to remediation. Knowing this allows the healthcare organization to plan for this time delay or purchase devices that enable patching by either a third party or the healthcare organization team themselves.
Q. What is the most important piece of advice on this issue that you would impart to CISOs, CIOs and other health IT leaders?
A. One of my favorite definitions of leadership comes from Ronald Heifetz. He roughly defines leadership as mobilizing a group of people to handle tough challenges and emerge triumphant in the end.
This hypothesis is true in healthcare, as the need for security has been well-defined, but the tough challenges remain. It is time for those willing to lead to have the hard conversations with people, including device manufacturers, who may not want to follow the logical, proven security direction you are showing them.
The number of people engaged on this journey includes your internal teams and external partners, including the device manufacturers.
I would suggest starting with a simple gap analysis about what your organization knows concerning secure network connections. Having incomplete information will only hinder any strategic improvement to your security posture, so knowing where the gaps are is the first step to filling in the needed details. Once you are comfortable with the data foundation, you can assess the following steps and strategic planning.
Collaboration is vital, which is not new advice by any stretch of the imagination. Just because security is complex doesn't mean it is impossible or leaders should avoid appropriate next steps.
As Heifetz states, "The goal is triumph in the face of adversity!" One key to this victorious emergence should be a common data platform that all stakeholders can refer to when making decisions about medical devices. As with most things in life, with better data, healthcare organizations can make better decisions.
Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.