IoMT Device Integration with the Electronic Health Record Is Growing
By their nature, IoMT devices are integrated into healthcare organizations’ networks. However, more integration is taking place between these devices and the electronic health record. Discrete data collected from IoMT devices may go through an organization’s normal data flow, such as an integrating engine. Organizations may also use an application programming interface such as Fast Healthcare Interoperability Resources (FHIR), integrating through a central IoMT hub or through a Software as a Service provider.
More important than collecting patient data is acting upon it. IT and clinical leaders must have a plan for responding to device alerts. For example, a patient may be given an IoMT device while waiting to be admitted to the emergency department. If the ED clinicians receive an alert about a change, procedures need to be in place to act on that alert. Not responding to the alert could result in a negative patient outcome, and it poses patient safety and legal concerns.
How to Protect Internet of Medical Things Devices
When integrating IoMT devices with the EHR or an organization’s network, it’s important for IT leaders to keep privacy and security top of mind. If devices are left unmanaged, each one becomes a point of vulnerability to cyberattacks.
The first part of an organization’s security approach is visibility. The IT team needs to know what’s going on within its network. It can be difficult to tell what the device is, since many IoMT devices are unmanaged or fall outside of normal IT lifecycle operations. Unmanaged devices could be running on an older operating system, increasing the risk to the network. If IT staffers don’t know what a device is, they won’t know how to protect it and how to ensure that each device is talking to the right systems.
Using a platform such as Ordr or Medigate enables IT teams to see more information about individual IoMT devices, including those running on older operating systems or those with Food and Drug Administration recalls. These platforms give healthcare organizations more visibility into their device networks and can even feed information into an organization’s configuration management database (CMDB).
The second part of device security is segmentation, including micro and macro strategies to ensure that devices are talking to the right systems. With segmentation, devices can only talk to other devices or systems within their segmented network. If an event is detected within the network, an IT team can then investigate whether it’s related to a cyberattack. Another benefit of segmentation is that these more vulnerable devices are separated from other devices and systems that are critical to patient care. So, if there is an attack, it won’t interrupt care delivery.
Technology isn’t the only thing needed to secure IoMT devices. It truly comes down to people, processes and technology combined. Healthcare IT teams need to create organizational governance to ensure that everyone is using the right technologies in the right ways. When selecting new IoMT devices for implementation, the IT team must verify that the devices don’t have security flaws.
Taking an Agile Approach to IoMT Device Management and Security
Once a monitoring platform is installed, the IT team should build a catalog of all the healthcare organization’s IoMT devices. Then, the team should use agile sprints to categorize, analyze and protect devices in an iterative fashion.
Biomedical and healthcare technology management teams should start to identify whether any medical devices fall outside their management, either unmanaged or being managed by another department. Each device should then be analyzed to determine who should have operational accountability for those devices. Then, the owners should review FDA recalls and security alerts related to biomedical devices and begin remediation efforts if necessary.
It’s important that healthcare organizations begin these efforts now, as more innovative IoMT devices are likely to be implemented in the next five to 10 years. Healthcare IT teams must be prepared to manage those devices and their data securely.
Device monitoring programs should be integrated with other security products, including a firewall or a network authentication control system such as Cisco Identity Services Engine or Aruba ClearPass. The system could also integrate into the CMDB through ServiceNow, for example.
Technology partners such as CDW have strong relationships with security vendors and provide IoMT workshops from a programmatic perspective. The workshops help healthcare organizations with their IoMT technology stacks and integrations as well as the security strategies around those devices.