Servers and storage are a primary focus for one hospital’s support upgrades.
Scripps Health Medical IT Network Risk Manager Scot Copeland believes that bolstering medical device cybersecurity is very much like securing a house.
There are tons of security controls and they all work together, Copeland said at the Association for the Advancement of Medical Device Instrumentation’s annual conference in Austin, Texas. “When you go to apply security to your own personal life at your home, do you have one thing that manages your security? No. It’s not just your door locks. You’ve got window locks. You have fences. You have lighting.
“That’s the way we need to understand how we apply security in medical devices, too.”
Copeland outlined several elements necessary to a hospital’s medical device cybersecurity plan, including having a business associate agreement in place with vendors, computerized maintenance management software for asset tracking and an access control policy that governs conditions under which users are allowed to access equipment physically and logically. Other aspects to consider for the success of such a plan, he said, include:
Additionally, Copeland said, medical device managers can’t hesitate to partner with the IT department.
“That’s one of the biggest challenges we’ve had. It’s taken years for us to get a relationship with our audit and compliance people, our [information security] people — the many departments of IS that seem to be very siloed and operate separately,” he said. “We needed to build relationships with them so they understand why we’re there and why we’re doing this with medical devices and that they are sympathetic to our cause and will support us. They own the network. A lot of the things we’re going to need to do to manage the security of our medical devices is going to have to be done by them.”
Read articles from HealthTech’s coverage of AAMI 2017 here.