The Sheer Uniqueness of Securing Medical Devices (Part 1)

The Impact on Patient Safety, Uptime and Risk Mitigation

Author: Caston Thomas

Having worked with hospitals on both patient experience and cybersecurity projects for over two decades and with other industries locking down “IoT”, I realize that securing hospital devices is very different from securing I.T. as well as other types of O.T. (operational technology).

To successfully secure IoMT, we must deal with some key fundamental differences:

1) The Impact of Failure

2) Risks, Threats & Vulnerabilities

3) Complexity

4) Responsibilities of the Teams Supporting and Using the Devices

5) Product development, Updates & Maintenance

If you are launching a greenfield medical device security program, you do yourself a favor by instilling this understanding into your hospital’s leadership from the beginning. It will set a foundation for how you will address the unique challenges in securing your organization. For those with an already evolving program, it makes sense to go back and revisit with leadership.

My objective in this blog is to provide points that will “talk the language of the board and senior executives; e.g., quality of care, reputation and money. In Part 1, we cover the technological differences. In Part 2, we will address organizational and operational issues that arise. In Part 3, we’ll provide a roadmap for successfully building a comprehensive program. We will examine the best practices and experiences of those who have had great success - which result only with occasional setbacks.

No one should argue that data is more valuable than human life. That realization factors into calculating the risk of a device failure. (Risk = Likelihood of Occurring x Severity of Harm). The likelihood of a medical device being intentionally hacked is extremely small. At least that was the way too many thought about the subject until recently. But when we factor in the consequences of someone dying or being seriously injured, executives are recognizing the potential for loss of community support and lost trust.

So the risk is high. On the other hand, there are few hackers who would intentionally harm someone suffering in a hospital. But the unintended consequences of a ransom attack or a network component being hacked has the same catastrophic result as an intentional hack.

Two key metrics for biomedical engineering leadership are availability and utilization. Those numbers are also watched by those charged with financial responsibilities in departments that house MRIs, CT/PET scans, and surgical robots. Now that hospitals have experienced days of lost revenue due to cyberattacks, more attention is being factored into downtime of those devices due to the cybersecurity risks.

Complexity is also involved in many different types of devices and their sub-components. In IT, we have PCs, Macs, mobile devices, and a small assortment of servers. A typical hospital has 300 or more different types of medical devices.

Each type of device is unique, even devices that are made by the same manufacturer. The clinical engineers who support all these different devices must be walking encyclopedias, knowing the nuances and differences. Then there are computational and storage limitations, leading to many best practice and implementation challenges, such as those related to network security, legacy devices, MFA, & strong encryption.

So, in summary, our first two hurdles to overcome: 1) educating leadership to fully appreciate the sheer importance of securing medical devices, and 2) communicating that there are proven ways to address the challenges. Other hospital systems have overcome the complexity and uncertainty about what to do. Once we have leadership’s support, we will start to explain how to marshall the organization’s immense resources and deploy them without adding staff and without breaking the bank.

Coming soon: In part 2 of this 1 blog series I’ll review the challenges with managing complexity.