Challenges Around Organizing and Managing Complexity
By Caston Thomas
Summary for first time readers): In Part 1, we covered technological differences. In Part 2 (this blog), we address organizational and operational issues. In Part 3, we will provide a roadmap for successfully building a comprehensive program. Throughout, we’re examining best practices and experiences that lead to success - which will result with only occasional setbacks.
The key to improving medical device security is to be well-organized and simple. The first cause of complexity is organizational. A key challenge for securing O.T. (operational technology) is the silo's nature of departments operating and maintaining devices.
Many hospitals have organizations in I.T. called Health Technology Management. Others have moved the entire clinical engineering department to I.T. Those efforts resolve some of the barriers, but not all of them. We also need to address differences in the ways clinical engineers think and talk, as well their responsibilities and priorities. At the root of IT security is the concept of C.I.A. (Confidentiality/Integrity/Availability). OT flips that, prioritizing A.I.C. (Availability/Integrity/Confidentiality) Let’s remember that when a medical device fails, lives and well-being are the result. Such a consequence is rare in I.T.
Critical methods for breaking down those silos include creating a culture of collaboration and training, particularly cross training. In a future blog, I’ll address specifics for successfully rolling out those programs.
Another cause of complexity is an overemphasis on solving technical problems or failing to set the policies and procedures in place for non-technical managers.
For example, we are seeing a burst of infusion pumps being compromised across hospitals. They continue to operate, but their integrity is impacted. The IT-centric response teams do their jobs to correct the technical problems. But leadership observes a lack of procedures and escalations that engage clinical engineering and nursing teams.
A common mistake is deploying technology before establishing the governance and goals for the medical device security program. “We have to have visibility.” Then let the technical features and ‘integration with what we own’ lead the decision, rather than how tools impact operations and meet key success factors.
Complexity is not limited to these examples. Without the proper foundations in place, jeopardizes an entire process. Network segmentation is another example. Or, Inventory fails to factor in legacy devices resulting in the need to reformulate risk assessments and policies. (And technology!)
Reduce the complexity! You will experience a reduction in gaps, lower operational costs, achieve higher levels of maturity and better goal achievement. The proper goal (a few years out), is to build security into your core business processes. Ultimately, successful program leaders work themselves right out of a job.
In Part 3, we’ll explain how to set the foundation and organize your program for simplicity and success.