How healthcare systems can harness their purchasing power for safer medical devices
CISOs and CIOs know all about patching holes to prevent cybercriminals from entering their networks. One of the largest and most enduring sources of these holes is medical devices, of which there are countless in a hospital or healthcare system.
Supplier organizations have been at the mercy of medical device manufacturers and their safety practices. This has long been a source of frustration as many devices are designed and built with poor security practices in mind and very little ability for IT to address known and emerging security issues.
Health Informatics News sat down with Samuel Hill, Director of Product Marketing at Medigate, a healthcare cybersecurity and asset management company, to discuss the issue of medical device security, optimizing the power of purchasing from medical device manufacturers and purchasing devices that reduce risk.
Q. Why is medical device safety such an important issue?
A. With so many things connecting to the healthcare network, the resulting environment is unstable and dynamic. Devices move and their connection points change, so security policies need to be nimble enough to be consistent in their effectiveness no matter how and where they connect.
The significant threat is that a device will be compromised and negatively impact patients. The combination of poor device security and inadequate controls in the healthcare organization is at the root of the central problem with device security we know today. Whether it’s stolen patient data or hampered care, no outcome is acceptable.
Medical devices are inherently insecure, and while there have been recent gains in this area, most healthcare organizations still have thousands of medical devices at risk. It can take years for a known vulnerability to receive a software patch. The healthcare organization must use compensating controls to maintain those devices with known issues of being weaponized by bad actors against them and their patients.
Additional challenges stem from knowledge gaps about the devices and their use. Without a clear understanding of what is connecting to the network, valid and prescriptive security policies are impossible. Unfortunately, many healthcare organizations simply don’t have the detailed knowledge of which devices are connected and which aren’t, making securing them nearly impossible.
Q. The large sums of money that healthcare provider organizations spend on medical devices each year should give them enormous buying power. Do vendors know enough about devices and how they are used and secured to leverage their buying power in their negotiations?
A. Typically, healthcare organizations use their purchasing power to negotiate better prices for the fleet of devices. While this is undoubtedly a necessary and good thing, they may not consider the opportunity cost or risk associated with device security. With more information about a specific device and the fleet it belongs to, the healthcare organization can examine general trends to inform purchasing decisions.
Device fleet utilization is a key trend to examine. On average, an IV pump sits idle about 58% of the time, so more efficient use of existing equipment can help reduce the need to purchase more.
Usage rates of different models of the same type of device can also indicate the preference of frontline staff. Consolidating multiple device types based on front-line preferences will improve efficiency and increase the overall purchasing power of the healthcare organization.
Another trend to note is the number and severity of known vulnerabilities and exploits for a particular device. I would argue that one of the most powerful methods healthcare organizations can leverage their purchasing power for the good of their organization would be to select more secure devices.
This financial pressure on device manufacturers will hopefully result in a higher level of security for their devices from the start.
Q. You said that to better secure medical devices, supplier organizations should choose to purchase devices that reduce risk. How do organizations do it?
A. Without knowing the overall impact of a device on security, it is difficult to select the most secure ones. It’s about having the right information in the right place to impact the decision-making process. By applying the fundamental work of gathering accurate information about devices on the network and potential devices, healthcare organizations can make better decisions.
In addition to reviewing MDS2 forms for each device, understanding known CVEs or recalls will guide long-term investment strategy. Each of these data points is useful, but the healthcare organization must take additional steps to ingest this information so that it is usable in their decision-making process.
An example would be a device’s ability to be patched. Some manufacturers require their technicians to apply a software or firmware patch, which can extend the duration of the fix. Knowledge allows the healthcare facility to plan for this lead time or purchase devices that allow patching by a third party or by the healthcare facility team themselves.
Q. What is the most important piece of advice you would give CISOs, CIOs, and other healthcare IT managers on this issue?
A. One of my favorite definitions of leadership comes from Ronald Heifetz. He roughly defines leadership as mobilizing a group of people to meet difficult challenges and emerge triumphant in the end.
This assumption is true in healthcare, as the need for security has been well defined, but difficult challenges remain. It’s time for those who want to lead to have tough conversations with people, including device makers, who may not want to follow the proven, logical security direction you’re showing them.
The number of people on this journey includes your internal teams and your external partners, including device manufacturers.
I would suggest starting with a simple gap analysis of what your organization knows about secure network connections. Having incomplete information will only hinder any strategic improvements to your security posture, so knowing where the gaps are is the first step to filling in the necessary details. Once you are comfortable with the data foundation, you can evaluate next steps and strategic planning.
Collaboration is vital, which is not new advice by any stretch of the imagination. Just because security is complex doesn’t mean it’s impossible or that leaders should avoid appropriate next steps.
As Heifetz states, “The goal is to triumph in the face of adversity!” One of the keys to this successful emergence should be a common data platform that all stakeholders can refer to when making decisions about medical devices. As with most things in life, with better data, healthcare organizations can make better decisions.
Email the author: firstname.lastname@example.org
Healthcare IT News is a HIMSS Media publication.