Collaboration, Relationship Building Key to Defending against Cyberattacks


Posted June 10, 2017

Intermountain
Members of the Clinical Engineering Support Services (CESS) and IT teams at Intermountain Healthcare in Salt Lake City, UT

As healthcare delivery organizations (HDOs) across the country continue to deal with the fallout from last month’s WannaCry ransomware attack, two Saturday sessions at the AAMI 2017 Conference & Expo in Austin, TX, focused on the need for more—and better—cybersecurity collaboration. Presenters called for the different departments within HDOs to work together and for HDOs to begin sharing information on a wider scale.

“One of the biggest challenges we’ve had is getting a relationship with the departments of information technology (IT) and information security so they’re sympathetic with our cause and will support us … They own the network, and a lot of the things that we need to do to manage the security of our medical devices has to be done by them. They need to understand that there’s a reason for it,” said presenter Scot Copeland of Scripps Health in San Diego, CA.

Copeland’s presentation, “Elements of a Medical Device Cybersecurity Plan,” reviewed a slew of different methods and considerations for medical device cybersecurity, including firewalls, segmentation, device hardening, wireless spectrum management, developing a medical device management plan, and many more. But ultimately, he emphasized that there’s no one-size-fits-all or out-of-the-box solution.

“You’re going to need to research this for yourself at your facility because every facility is a custom installation,” he said. “It has to do with your networking infrastructure, policies, mission, and the types of equipment you have.”

In Saturday’s second cybersecurity session, “Applications and Practices for Medical Equipment Security,” members of the Clinical Engineering Support Services (CESS) and IT teams at Intermountain Healthcare in Salt Lake City, UT described Polestar, their in-house-developed software application that helps analyze and prioritize medical device cybersecurity risks, particularly those involving protected health information. The initiative was detailed in a “Bright Ideas” article published in the January/February 2017 issue of AAMI’s peer-reviewed journal BI&T and Episode 20 of the AAMI Podcast.

Developing Polestar required collaboration between what presenter Mike Busdicker, system director of CESS at Intermountain Healthcare, called the “three critical collaborative relationships” in a robust cybersecurity program: HTM, IT, and the supply chain.

Busdicker, along with co-presenters Priyanka Upendra and Shawn Anderson, called on an industrywide implementation of the Medical Device Risk Assessment Platform (MDRAP), a free assessment tool and online community developed by the Medical Device Innovation, Safety and Security Consortium (MDISS) that helps healthcare systems and device manufacturers better understand, analyze, and mitigate medical device security risks.

By inputting medical device cybersecurity information and analysis into MDRAP, Busdicker said, the program can provide a national “source of truth, a baseline” for the medical device industry to assess the cybersecurity risks of their devices.

Intermountain hopes to develop an interface so Polestar can contribute information to the global MDRAP community as well as download information from the community back into Polestar, which can then be used to provide an organization-specific analysis.

Intermountain’s call to share information echoed that of Benjamin Esslinger, a clinical engineering manager at Eskenazi Health in Indianapolis, IN, who described in a presentation at Friday’s “Manny Meeting” an ongoing community of practice—the Indiana Cybersecurity Safety Network—that collaborates using the MDRAP platform.

A number of sessions at AAMI 2017 will focus on cybersecurity, including a keynote presentation by Kevin Fu, chief scientist of Virta Labs, Inc. and director of the Archimedes Center for Medical Device Security and the Security and Privacy Research Group. Fu will speak Sunday, June 11 at 10:45 a.m. in Ballroom A of the Austin Convention Center at the University of Michigan.