Security

CHIME21: Understanding Connected Device Risk ‘Lays the Groundwork’ for Robust Security Strategies

Medical devices are critical to care delivery, but does your organization have visibility into every device on its network? Experts weigh in on this security risk.

Teta Alim

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

An average hospital room holds 15 to 20 connected medical devices, including patient monitors, ventilators, smart beds, insulin pumps and MRI machines. These devices are a critical component of care delivery, but they can also pose security risks.

Just this year, McAfee researchers found vulnerabilities in a widely used infusion pump that could allow hackers to change a patient’s medication dosage. And a Netscout report found that Internet of Medical Things devices can come under attack within five minutes of being connected to the internet.

At the CHIME21 Fall Forum, taking place in person in San Diego and online, the conference run by the College of Healthcare Information Management Executives highlighted the crucial need for organizations to strengthen the cybersecurity programs for their connected assets.

During a digital session, Matt MacVey, vice president and CIO of Children’s National Hospital in Washington, D.C., and First Health Advisory CEO Carter Groome discussed the security importance of managing medical devices and how educating all stakeholders about the operational risks can help advance programs.

‘Not Just a Project That Has a Finite End’

Understanding clinical and computing assets at Children’s National and mitigating associated risks was a major aspect of building out the organization’s cybersecurity program when MacVey became CIO two years ago.

“This is a program that is ongoing,” MacVey said. “It starts with getting visibility and then putting in management oversight structures.”

Clinical devices are a vulnerability in a healthcare organization’s cybersecurity posture, Groome added, so taking inventory and building a deeper understanding of what everything is doing is crucial and informs the broader security program.

“Those clinical assets and understanding how they’re behaving informs the larger IT asset and connected asset program that we’re working on with Matt and his team,” Groome said.

Healthcare organizations need to assess their unique challenges and gauge their risk tolerance. An organizationwide understanding of security is imperative.

“How do you get to the things that are most important in the organization from a security perspective? You can’t do it all in the first year or second year. This is a program,” Groome said. “It’s not just a project that has a finite end. This is something that needs to be built into the operations of the organization.”

Understanding Security Risks as Harm to Patients

At Children’s National, MacVey said that educating all stakeholders about the risk vulnerable devices pose to the organization’s environment helped foster better understanding. Emphasizing the threat not in IT terms but in the context of the potential harm it could bring to their young patients raised the urgency around better device management.

“When we’re having conversations with the board, we’re not talking about technical cyber issues. We’re talking about organizational challenges, the risk to your patients, the risk to your community,” Groome said. “This is about trust. If that trust is breached, it’s a reputational issue as well.”

Education is a key part of a healthcare organization’s cybersecurity posture, especially involving leadership. Conversations must include the risks to patient safety, operation uptime and the balance sheet.

MacVey added that addressing the problem of device visibility as a business continuity risk “lays the groundwork for other security strategies.”

Operational integration also involves educating and involving all stakeholders working together to deploy the organization’s security program.

“Everything that you do digitally in your organization needs to have security, privacy and risk assessed for your unique needs,” Groome said.

Keep this page bookmarked for our ongoing virtual coverage of CHIME21. Follow us on Twitter @HealthTechMag and join the conversation using the #CHIME21Fall hashtag.

Morsa Images/Getty Images