From left to right: Damian Chung, Business Information Security Officer, Netskope; Christopher (Scott) Martin, Cyber Practice Leader and Client Service Team Lead, RCM&D; Anahi Santiago, CISO, ChristianaCare; Aaron Miri, Senior VP and CDIO, Baptist Health; and Erik Decker, VP and CISO, Intermountain Health.

Apr 21 2023

HIMSS23: Mitigating Risk for Healthcare in an Increasingly Connected Environment

Healthcare security leaders at HIMSS23 shared their insights on stronger device security and third-party risk management.

From bedside medical equipment to clinicians’ mobile devices, healthcare organizations have a complex ecosystem that can expand and contract as needs and teams change.

An organization can have more than 26,000 network-connected devices on average, according to a 2022 Proofpoint and Ponemon Institute report. Insecure medical devices are a top cybersecurity concern, but only 51 percent of security professionals say their organization has a prevention and response plan for an attack.

These security practitioners also are worried about supply chain attacks; 71 percent say their organizations are vulnerable to such attacks, according to the report.

“The ecosystem in which we operate has dramatically changed. No longer can we think about the four walls of our hospitals or health systems,” said Intermountain Health CISO Erik Decker during a HIMSS 2023 panel discussion. “We have hundreds, if not thousands, of back-channel accesses between medical device manufacturers, third-party service providers, cloud solutions and all kinds of other ways that we need to be able to integrate in order to deliver a digital environment, which is ultimately what healthcare is becoming.”

Healthcare’s security vulnerabilities are under increasing federal scrutiny. And a recent report from security company Armis named nurse call systems and infusion pumps as some of the riskiest connected devices. Nearly 1 in 5 connected medical devices are thought to be running unsupported versions of operating systems.

With this threat landscape in mind, security experts and healthcare leaders shared at the annual global health technology conference their strategies for protecting a critically connected environment and managing business needs.

Click the banner to receive content beyond our HIMSS23 coverage by becoming an Insider.

A ‘Paradigm Shift’ in Security Collaboration

During a panel, UNC Health CISO Dee Young said her organization has about 350,000 connected devices at any one time, and about 35,000 to 40,000 are some kind of medical device. The North Carolina health system also has taken on some rural healthcare organizations, bringing more legacy devices onto the network that must be secured.

The Software Bill of Materials has been a good starting point to provide more information about what’s baked into a device, Young said. The Log4j vulnerability is just one example of the need for a methodical approach to score devices on the likelihood of vulnerabilities.

Young added that UNC Health is the second organization she’s worked at where the biomed or clinical engineering team is under the IT department. “That’s been an interesting paradigm shift because of the skills and the shortage. We’ve found that that really is helpful, especially with trying to patch. Of course, we have the biomed gurus, but we also then have a lot more of the IT-savvy people to help us try to bridge the gap of patching,” she said.

Collaboration is also necessary when developing effective enterprise risk management. If a security team doesn’t collaborate across departments, it’s going to have a harder time getting risk management off the ground or cross-identifying key risks, said Donald Lodge, compliance officer at Advocate Health, during another session.

“Once you have everyone at the table, it’s really important to start talking about what you’re trying to get out of your risk management program,” Lodge said. “What’s really important is trying to figure out what your goals outside of just communicating risks are.”

It’s crucial to communicate with your teams and across the enterprise so everybody understands why risk management is important. “How can we better work together as an organization, eliminate the silos that we have, and help better identify, remediate and find risks overall?” said Elissa McKinley, director of cybersecurity, governance, risk and compliance at Advocate Health.

WATCH: Hear what CISA’s deputy director has to say about healthcare cybersecurity.

Keep Your Connected Environment Secure with Zero Trust

Zero trust is an approach that’s finding increasing favor in healthcare security. Organizations that have yet to incorporate any part of the zero-trust framework shouldn’t do everything at once, however. Start small: Consider tackling one of the pillars that covers devices.

“If you’re able to apply zero trust and baseline ‘Here’s what’s normal behavior from my devices in the network,’ you can ensure patient safety, prevent and contain attacks, reduce your attack surface, and really limit, when an attack happens, that scope of that particular attack,” said Danelle Au, chief marketing officer at Ordr.

In a separate session, Ordr CEO Jim Hyman emphasized the need for healthcare organizations to know what’s on their networks and what devices do. That’s why gaining visibility is an important first step.

“We should stop thinking about the differentiation between Internet of Things, Internet of Medical Things, operational technology and IT,” Hyman said. “You have to look at this across the board.”

Medical devices pose a unique challenge in healthcare since they have many regulatory requirements and guidelines that IT companies don’t traditionally handle, said Keith Whitby.

Donald Lodge
Once you have everyone at the table, it’s really important to start talking about what you’re trying to get out of your risk management program.”

Donald Lodge Compliance Officer, Advocate Health

IT division chair for healthcare technology management at Mayo Clinic. He and his team support over 130,000 medical devices and systems, valued at over $2.5 billion, according to Whitby.

Mayo Clinic’s HTM team is nestled within the IT department, and the team coordinates frequently with colleagues from the Office of Information Security.

“We have a risk, remediation and vulnerability management team in HTM,” Whitby said. “This is a little bit unique,” because it’s within HTM instead of OIS, he said.

Through a suite of solutions, Whitby said, increased visibility has been useful for getting information on inventory of critical equipment such as ventilators, including its location and frequency of use.

“That was extremely valuable to us through the COVID-19 pandemic, to make sure we weren’t erroneously making capital purchases where we didn’t need to. We could make sure that the equipment was in the right location depending on ebbs and flows of patient volumes,” he said.

LEARN MORE: How to protect patient information using data encryption and zero trust.

How to Successfully Manage Complex Security Risks in Healthcare

What does the current state of conducting third-party risk assessment look like in healthcare? It’s mostly disjointed, said ChristianaCare CISO Anahi Santiago during a panel discussion. Almost everything in a health system touches technology or data. There even could be a point where linens include sensors that measure patient vitals.

As for vendors, Santiago said, “The questions that we ask are specific to the vendor, their cybersecurity practices and to the product, whether it’s an application or a consulting service or whatever other service. So, it depends on the type of data, the type of service, but it’s really to gauge the overall maturity of their program and product.”

These connected environments will only grow in the coming years, which means adding or continuing vendor relationships. “It’s very hard to say no to equipment that saves or improves lives. It’s very hard to refuse on cybersecurity grounds alone,” said Cleveland Clinic CISO Vugar Zeynalov.

And while continuous monitoring solutions have improved, there’s still room to grow, Santiago said. There’s still a lot of noise with false positives, guest networks and other elements. But, she added, her organization is starting to find value because they’re able to learn about third-party incidents early, and that has helped improve incident response.

Another challenge is fragmentation of the management of these products, since ownership and accountability are siloed, Zeynalov added.

“We’re actually rethinking our approach to third-party risk, specifically by thinking like the other aspects of cyber: moving past prevention and into resilience and response,” he said.

Keep this page bookmarked for our ongoing coverage of HIMSS23. Follow us on Twitter at @HealthTechMag and join the conversation at #HIMSS23.

Photography by HIMSS/Lotus Eyes

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.