Safeguarding IoMT and connected devices is an ongoing challenge
Photo: Martin Barraud/Getty Images
Next week at the HIMSS Healthcare Cybersecurity Forum in Boston, experts specializing in connected health, medical devices, internet of things and clinical engineering will take the stage for a discussion on "IoT, IoMT, and OT: Safeguarding the Connected Hospital."
These IT and infosec leaders, from University of Pennsylvania, UVA Health, Mayo Clinic and other healthcare organizations, will compare notes and share hard-earned perspective about the ongoing challenges of connected medical devices, and how they're developed, deployed and put to use in clinical workflows.
They'll discuss evolving federal regulatory requirements, the responsibilities of manufacturers, the role of healthcare providers in helping ensure device safety and other security imperatives for connected health.
Ali Youssef, director of medical device and IoT security at Detroit-based Henry Ford Health, is scheduled to participate in the HIMSS panel. We spoke recently to get his perspective on medical device security.
A. Could you say a few words about your connected medical device and IoT program at Henry Ford Health? What's the scope of it, what do you have deployed, and what are some of your main challenges?
Q. The big challenge for us is really how this subset of devices is unique compared to typical IT assets and how the approach to deal with them is very different from how you would deal with a traditional IT asset. I think our IT organization and many others around the country have a certain level of maturity when it comes to dealing with standard IT assets like servers, PCs, things of that nature. But a lot of that toolkit is not really relevant when you're dealing with medical devices and IoT devices.
Because the level of invasiveness of some of the scans, for example, can cause issues with these types of devices. They're not built in the same manner; they're really built with function in mind first. So clinical efficacy, safety and some of the things that we traditionally think of in an IT or information security setting are really not top of mind for a medical device design engineer.
I think that's changing over time right now. But we're still in a scenario where we cannot do invasive security scans or deep security scans on medical devices and IoT devices. There's a possibility that will break their core clinical functionality.
So in looking at toolsets, one of the first things that we did was a gap analysis, and we quickly discovered that you need a medical device and IoT security management platform that's built for that scenario. It's passive in nature. It's just capturing traffic and analyzing it, as opposed to probing devices or trying to do anything more invasive than that.
So the first thing for us is getting a handle on, No. 1, our inventory; No. 2, putting in a dedicated tool that can help give us visibility around the vulnerabilities associated with these types of devices, FDA recalls, any anomalous traffic behavior: If we're expecting a certain baseline with a device and for some reason it doesn't follow that baseline, getting notified immediately when those types of scenarios arise.
Those were the critical things for us, because to do these things manually, it's almost impossible. If you're trying to look at emerging vulnerabilities, which we're seeing, on average, I think the number is 50 a day. Now, it might even be more than that.
Trying to correlate that number to, whether it's actually relevant to us – is it relevant to devices that we have in our inventory or on our network? It would take an army of people to accomplish that work. So having a tool to address that is one of the foundational pieces that's needed here. That way, that correlation happens automatically. The tool can determine, yes, there was this vulnerability that just came out, and by the way, it's impacting these specific devices on your network. I think that was probably the most impactful element.
"Patient safety is dependent on having cybersecurity in place and managing these devices appropriately. So it's becoming increasingly important for that cross-training to occur."
Ali Youssef, Henry Ford Health
The other piece is just having governance in this space, making sure that your policies are updated appropriately to reflect medical devices, especially when it comes to business continuity. Making sure we understand how to react if a specific device type were to go offline, whether it's a security incident or not.
If you lose the ability for IV pumps to communicate on the network, what does that mean? How do you make sure that your nurses and clinicians are trained and understand when they can use drip bags, versus when is it a requirement to have an IV pump? Will they function, even, without a network connection, will they function safely? So there's a lot of considerations like that.
And then from a governance standpoint, just having a steering committee and an operational work group – and it's different from typical IT programs because it has to be cross-functional. We're dealing with heads of different departments. You might have the head of radiology, the head of surgery. In any other departments that are traditionally more high tech, you have a very heavy involvement in this.
The other key thing I would bring up is clinical engineering departments – they sometimes call them healthcare technology management departments. Traditionally they're dealing with the Joint Commission and making sure that they can meet Joint Commission requirements, which have some cyber elements, but really they're not focused on that area.
It's primarily preventative maintenance work, making sure you understand where your inventory of devices is in your institution and things like that. And a lot of the work departments like that have done traditionally really is mechanical work, for the most part. They're fixing broken elements on devices. In some cases, it might be a firmware update that's being coordinated through the manufacturer.
But really, when you start looking at anything beyond that, those types of departments traditionally have not played in that space. So there's an education, essentially. There's a need to make sure that those types of departments are cross-trained on IT functions and cybersecurity functions and understand the nomenclature in that language because it doesn't always translate directly.
But patient safety is dependent on having cybersecurity in place and managing these devices appropriately. So it's becoming increasingly important for that cross-training to occur. And not just from a biomed standpoint. I think even from an IT and a security standpoint, those professionals also need some education around what is unique about medical devices: Why is there more at stake in those particular scenarios? Why can't I use these traditional tools that we rely on in IT? Why do we need these unique tool sets for medical devices and IoT devices?
Q. What about clinicians themselves with regard to device security? This is not just an IT or a security team problem – do they have a role to play?
A. Absolutely. I think that the biggest piece is just awareness and making sure that they're trained appropriately and they're able to identify and have a reporting mechanism when devices malfunction. So they can identify if a device is experiencing an issue and is not behaving as it normally does. Just understanding that there's a possibility for that to happen and what those symptoms look like and having a way to report that.
The other key piece is making sure that there's a mechanism in place – for example, if you have a security issue with an MRI machine and now all of a sudden you have to either divert patients or reschedule appointments. Just making sure that there's an understanding that those types of scenarios can arise.
So one thing that we do, when I mentioned the Medical Device Security Steering Committee, that's one form where we talk about these types of scenarios. If we have medical instrumentation that needs immediate attention, and if that means having to divert patients or reschedule appointments, they just have to be aware of the reality that these types of scenarios can arise.
The other piece has to do with electronic medical records. There was this push years ago to use EMRs and EHRs, and it's quite mature today. They're very heavily used, and they're measured. They're a foundational element, essentially, for a lot of health systems.
So when we talk about a cyber event with a medical device, if that were to become something more, if it were to move laterally on the network and result in something like ransomware, they need to be aware of how to continue operating without these electronic mechanisms in place. And just be aware that it's unfortunate that these types of scenarios can arise, but they're happening almost on a daily basis now around the country.
So the clinical teams have to be able to react and have plans in place and incident response mechanisms in place and business continuity mechanisms in place so that the health system doesn't shut down. If you're experiencing one of these events, you need to be able to continue seeing patients in a safe manner, if it's possible.
Q. There have been a lot of efforts, obviously, to get device manufacturers to step up and build in better security features from the ground up. Have they responded, in your view?
A. They're definitely doing better. The FDA is much better funded, I think, in this space, and something that used to be an afterthought is now at the forefront. And I'm glad that they're scrutinizing security as part of the device release process.
I think it's improving, it's getting better. But one of the issues that I have to deal with on the health delivery organization front is the lifespan on some of these devices could be 20-plus years. We're having to deal with legacy devices for a long time.
This will help in the long term. But I do believe even if you design a device and you follow best practices from a security standpoint, there's always a possibility that someone can configure the device incorrectly, or add it to a network that's insecurely configured to begin with and add risks, essentially, that you can't really replicate in a lab environment.
I think there's a place for health delivery organizations to make sure that they have mature medical device and IoT security programs so they can manage the security of these devices throughout their lifecycle, including decommissioning, making sure they're wiped appropriately when they're decommissioned.
I don't think the onus can be exclusively on the medical device manufacturers. I don't think that's a fair arrangement – and I don't think it's even possible. I mean, the level to which they would have to go to protect people from themselves and network administrators from misconfiguring things, and it's not even their realm of control, really.
A medical device manufacturer could come and make a recommendation about how your network should be set up. If you don't follow those recommendations, it's kind of outside their realm of control at that point.
So I think there's definitely a two-way street here, and I think the medical device manufacturer and the HDO have to work hand in hand to make sure these devices are secure throughout their lifecycle.
Q. What are you keeping an eye on for the future, whether it's regulations that might be down the pike or new emerging technologies?
A. One thing I was really looking forward to that hasn't transpired yet: It seems like a lot of people have this notion that medical device manufacturers have the bulk of the responsibility in this space. I'm not one of those people. I believe that the Joint Commission should mandate that health delivery organizations must have medical devices – at a minimum, medical device, but I'd love to see IoT as well, but I know they don't play in that space – but essentially to mandate that you must have some level of a security program for these types of devices in your institution right now.
They use some language that addresses, I think, cybersecurity, but it's not very direct. I would have loved to see something, or I'd love to see something in the future that's just much more prescriptive in that arena.
As far as future trends and things that I'm concerned about, of course AI is top of mind. We can lean heavily on the medical device manufacturers to test the various scenarios that might arise. But I think when you take these algorithms and you put them in production, it's difficult to look at every scenario that can come up and capture every risk.
So sometimes they're unpredictable, and they'll behave in unpredictable ways. And that's been top of mind for me, how to deal with that. But I'm looking forward to the future. I love the steps that have been taken to date by the White House and the various other organizations out there.
And I'm glad that the FDA is ramping up in this space. I'm optimistic. I think this issue will get better over time. I just think it might be 10 years out before we really see some of the value that a lot of these changes are introducing.
Youssef's panel discussion, "IoT, IoMT, and OT: Safeguarding the Connected Hospital," is scheduled for 9:35 a.m. on Friday, Sept. 8, at the HIMSS Healthcare Cybersecurity Forum in Boston.
Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.