Ransomware Attack Offers HTM Professionals an Opportunity to Shine

Posted May 16, 2017

While a frightening jolt to the healthcare industry, the ransomware attack that infected business and government systems around the world also serves as a reminder of the invaluable role that healthcare technology management (HTM) professionals can play in helping their facilities navigate the tricky terrain in the cyber landscape.

To that end, HTM professionals can not only keep medical devices and systems safe and secure, they can also help their organizations avoid lawsuits, damages to reputation, and costly downtime.

How so? By stepping up and working with other departments—especially those in information technology (IT)—to develop smart practices and policies before a problem erupts, and to work seamlessly as a team when they do. One key component is something that is very familiar to most HTM professionals: maintaining a thorough inventory of medical devices.

“Every hospital should maintain an accurate cybersecurity inventory of networked medical devices that provides sufficient detail to assess risk when a new vulnerability arises,” said Kevin Fu, chief scientist of Virta Labs, Inc., and director of the Archimedes Center for Medical Device Security in Ann Arbor, MI. “What version of what software and firmware runs everywhere? What about shadow IT? The bad guys know the vulnerabilities of devices on clinical networks better than the good guys at the hospitals. That’s not fair, and the only way forward is via a solid inventory. You can’t protect what you don’t know you have.”

Axel Wirth, a distinguished technical architect with Symantec Corporation and a cybersecurity columnist for AAMI’s journal BI&T, counseled collaboration and teamwork.

“Any organization with complex IT infrastructures, including legacy systems, has to deploy a ‘defense in depth’ approach—starting with the best possible protection for systems, over-network segregation, and network-based intrusion prevention tools,” Wirth said. “And not only is your security as good as its weakest link, it is also only as good as your vigilance. Be prepared, be able to respond quickly, and have a network of trusted partners."

In a blog post, Ben Ransford, with Virta Labs, urged HTM departments to join forces with their IT colleagues and to “be the hero” of their staff meetings.

“Biomedical engineering and the IT department need to be on the same page,” Ransford wrote. ”In our experience, the best prepared hospitals have a collaborative culture between biomedical engineering and IT. Maybe IT tipped over radiology a few times while trying to ‘help’ biomedical engineering with vulnerability scanning. Don't blame people; you need to work together to continuously assess your population of devices because otherwise the bad guys are going to do it anyway, and not share the results with you."

“If your governance structure leads to in-fighting over responsibility and accountability for cybersecurity of networked medical devices, then your governance is broken,” he added. “If your management does not provide a cybersecurity budget close to the industry standard for health systems, then maybe the board needs a shake-up (4% of the IT budget is sad; 11% of the IT budget means you worry about nation-state threats).

Within a hospital, biomedical engineering often owns the database of medical devices for The Joint Commission certification of 99% accuracy of inventory of life-sustaining devices, but IT owns the databases of network inventory. The days of separately managed data ended when your medical devices joined the network. You have to do both at the same time to understand what networked medical device assets are at risk.”

AAMI offers a variety of cybersecurity resources to both HTM departments and medical device manufacturers. A full listing of those resources is available on a special cybersecurity “hot topics” page.

Wanted: Your Insights and Expertise

The fall edition of AAMI’s peer-reviewed journal supplement, Horizons, will focus on cybersecurity in healthcare technology. Submission categories include research papers, case studies, systemic reviews, and articles about trends in technology.

The submission deadline is July 15, and more details are available in the formal Call for Papers.

Interested authors may contact editor Gavin Stern with any questions at gstern@aami.org.