Security

CHIME23: Healthcare Needs Better Collaboration to Reduce Security Challenges

Internet of Medical Things devices can create vulnerabilities in health networks if IT leaders, clinicians and manufacturers don’t work together.

Jordan Scott

Twitter

Jordan Scott is the web editor for HealthTech. She is a multimedia journalist with experience in B2B publishing.

Internet of Medical Things devices can make care more mobile and automated, increasing accessibility while saving clinicians time and giving more information to healthcare organizations. However, the proliferation of these devices has led to a challenge for health IT leaders: ensuring that IoMT devices are secure.

To compound the challenge, people often plug in devices without checking with the IT team that they meet security requirements. And device manufacturers may be running on an outdated OS, leaving them vulnerable to attack.

In a conversation Friday at the CHIME23 Fall Forum, hosted by the College of Healthcare Information Management Executives in Phoenix, Tony Douglas, regional vice president for U.S. enterprise healthcare at Palo Alto Networks, and Dr. Zafar Chaudry, senior vice president and chief digital and information officer at Seattle Children’s, discussed the vulnerabilities created by IoMT device adoption and ways to better protect healthcare IT environments.

Click below to gain access to exclusive HealthTech content from CHIME23 and beyond.

Collaborating to Protect Healthcare Networks from IoMT Risks

“Technology is great. It’s about 10 percent of the problem. The biggest risk in any security scenario are your own users,” Chaudry said. He emphasized that organizations must educate clinicians, researchers and other healthcare staff on the risks that IoMT devices pose in healthcare IT environments.

According to Chaudry, some clinicians will discover and start using devices without considering the security implementations. Many even connect devices to the guest wi-fi, which has a minimal amount of protection.

To combat this issue, Seattle Children’s encourages staffers to reach out if they’re using a device that could pose a risk to the organization. They can do so without consequence, an approach Chaudry said has worked well.

“No one in healthcare wants to cause harm. They just want to be able to do their work,” he added.

The health system also has an architectural review board composed of engineers who review proposed devices and conduct a risk assessment to determine whether they need to be connected to the network, whether they need software updates or other tools, and the extent to which they must be monitored. Once they go through a security and technical review, devices then go to the implementation team.

“This allows us to document what’s coming,” Chaudry said. When clinicians tell the IT team what they need, IT can put the necessary guardrails around devices.

It’s also important that healthcare organizations have visibility into the devices on their networks. Seattle Children’s uses Ordr for this purpose. Chaudry noted that an IT team can’t make decisions without knowing what’s happening on the network.

Authentication is another obstacle to healthcare cybersecurity efforts. Many healthcare organizations are using identity strategies to protect their environments, including two-factor authentication. However, Chaudry pointed, people are still writing their passwords on sticky notes and attaching them to devices.

“We need to figure out how we can layer through these services,” Chaudry said. He noted that some vendors in the security space will tell health IT teams that they need specific tools. He emphasized that IT leaders must consider not only the tools but the people they will be dealing with.

Not every health system has resources, and some may require assistance from the vendor during implementation.

“It’s not as easy as turning on software and the magic happens,” he said.

No one in healthcare wants to cause harm. They just want to be able to do their work.”

Dr. Zafar Chaudry Senior Vice President and Chief Digital and Information Officer, Seattle Children’s

Considerations Around IoMT Devices in the Home

IoMT devices have the potential to extend care into the home, but the infrastructure to support them often isn’t robust enough. When Seattle Children’s did a big push to manage asthma remotely, some patients lacked reliable access to cellular connections, meaning that devices would send data one moment and stop the next.

Not all patients spoke English, which sometimes led to misunderstandings about how to use and care for devices. Patients’ families had to mail the devices back in to get replacements, which led to gaps in data.

The health system was unable to send engineers to the remote locations to provide tech support. This meant that the organization didn’t have visibility into the patients’ networks or security.

Another common challenge is reimbursement for home healthcare initiatives. The reimbursement is often not enough to cover the program, meaning that hospitals are losing money on home healthcare.

“If we could build a team to send to people’s homes, that would be great. The hospital at home initiative is great and the outcomes are great, but many hospitals are withdrawing these services,” Chaudry said.

Changes must be made on the payer side to ensure the future success of home healthcare programs. Making those changes can result in better patient outcomes and fewer in-person follow-up visits.

EXPLORE: El Camino Health CIO Deb Muro reflects on security leadership in healthcare.

Reining in Healthcare Complexity to Boost IoMT Device Security

IoMT devices are often managed by biomedical or clinical engineering teams. However, as more medical devices are connected to the network, teams must collaborate, Douglas said. Not doing so can lead to network vulnerabilities and confusion about what’s on the network.

To improve security compliance, Seattle Children’s moved its biomedical engineering team under the IT department. This organizational structure makes governance and architectural review easier, Chaudry said. He said that healthcare organizations should form governance groups if they haven’t already.

“We’re not trying to do command and control, but a device isn’t just a device anymore. It’s a mini computer,” he said.

Douglas said that the healthcare industry is heavily regulated yet lacks governance that ensures that manufacturers are bringing devices to market safely and securely.

Chaudry agreed. While the Food and Drug Administration does have standards regarding how medical devices are built, many of these devices are still running Windows 7.

“How can we allow such devices to provide lifesaving treatment? The software is not regulated, which is something that needs to be looked at on the federal level,” he said.

Chaudry asked Douglas why manufacturers and security companies don’t collaborate to provide IoMT devices that come built with security in mind.

“If we had a standardized approach on how to bring devices to market, we would see interesting collaboration,” Douglas said. He said that Palo Alto Networks is lobbying for this, but it’s not an easy process.

The relationship between healthcare organizations and medical device manufacturers can be adversarial, Chaudry said, especially since the specific markets can be small.

“We are in a situation where we have no power. This is a patient safety issue, and now everything is becoming software-driven,” he said. “I’m not saying we should choke the industry from innovation, but we have to give standard protocols. If you check the boxes, then you’re good to go, and if you don’t, then you’re not. If you’re not running the latest version of an OS, then no chance.”

Keep this page bookmarked for our ongoing coverage of CHIME23. Follow us on X (formerly Twitter) at @HealthTechMag and join the conversation at #CHIME23.