By Clyde Hewitt, Executive Advisor, CynergisTek
Designing a holistic facilities management plan to protect medical devices.
The National Eye Institute (part of the NIH, or NIH) has ample evidence that spending too much time in front of a computer screen can lead to myopia, a condition impairs one’s ability to see the full picture clearly and ultimately will lead to eye strain and headaches. This same analogy applies to managing medical devices when healthcare staff spend too much time trying to treat them solely as physical assets or simple computers. This approach will create headaches for compliance and security officers.
The government, medical device manufacturers, and hospitals have an obligation to first ensure patient safety while providing patient care. There are myriad processes in place to rigorously test medical devices to ensure that they perform as designed and if they fail, it does so in a way that does inflict patient harm. For decades, the Food and Drug Administration (FDA) had the authority to publish regulations, inspect manufacturers, and track patient safety issues; however, the FDA’s authority is limited when it comes to protecting the confidentiality of patient data. In December 2016, the FDA published the Postmarket Management of Cybersecurity in Medical Devices which established a shared responsibility cybersecurity model between the medical device manufacturers and the provider community. Unfortunately, the FDA’s power to enforce cybersecurity vulnerabilities (as opposed to patient safety issues) is limited; however, the medical device manufacturers took notice.
So why is there concern? Since the FDA’s guidance in 2016, device manufacturers are reporting 400 percent more vulnerabilities per quarter. At the same time, 67 percent of these manufacturers believe their systems will be attacked in the next 12 months, but only 17 percent are taking significant steps to prevent attacks. Hospitals should recognize by now that they have the ultimate responsibility for securing these devices while protecting patient privacy.
Holistic Management Plan
Individuals with advanced myopia know their symptoms: distant objects are hard to recognize which can lead to eyestrain and headaches. Medical device management myopia is harder to recognize but will cause much bigger headaches. Treatment for the medical device management myopia is similar in that it starts with recognition that there is a problem. This can be accomplished with four simple steps:
- Obtain a copy of the Could Not Locate (CNL) list;
- Ask which items on the list store or maintain electronic protected health information;
- Ask which of those missing items have been evaluated to see which patients were impacted and if the ‘breach’ has been reported to the Office for Civil Rights; and,
- Of the devices not reported missing, inquire as to how many have outstanding software updates from the manufacturers.
If your organization’s clinical engineering department cannot complete these four steps within a day, then you have medical device management myopia. Addressing the problem requires resources and skills beyond the scope of most clinical engineering departments. First, the executive leadership team, from the CEO, CFO, CIO, Procurement, Compliance Officers, and Legal all have responsibilities to fix the issue. Procurement has the power to stop departments from purchasing new medical devices with end-of-life operating systems. Procurement should include, in every contract, a requirement that every piece of equipment come with a software bill of materials, similar to hardware. Procurement also has the contracting power to require manufacturers to provide software updates for every critical security vulnerability within a specified amount of time.
From a technical perspective, the IT Department should recognize that medical devices do not have the ability to be protected like other workstations and ultimately, they must implement compensating controls to include network micro-segmentation. By isolating these medical devices, IT can reduce the probability of malware infection and isolate the adverse impacts to a small segment if they are compromised.
Finally, legal and compliance need to work closely with the Chief Information Security Officer (CISO) to mandate that every piece of lost or misplaced equipment gets promptly reported as a potential breach of patient data. Without this visibility, organizations will find themselves on the wrong side of the HIPAA Breach Notification Rule and miss the mandatory reporting period.
None of these changes will take place without the full support of the CEO and the executive leadership team. The coordination will take additional internal resources and likely additional technical measures. All of these actions will cost money, but the execution of these steps is spread holistically across many different departments. The executive leadership team will need to ensure that every step is funded or else gaps will remain.
About The Author
Clyde Hewitt is Executive Advisor at CynergisTek.