How The Mayo Clinic Leads in Medical Device Cybersecurity


By: Gabrielle Hirneise

Categories: AAMI News, HTM Professionals, Medical Device Manufacturers

A knight made up of data defends a wall of 1s and 0s.

Cybersecurity issues took center stage in the first day of AAMI eXchange Rewired. In their education session, Kurt Griggs, information security manager at the Mayo Clinic’s Healthcare Technology Management (HTM) division and Cyber Tygr CEO Ty Greenhalgh detailed a framework and tools developed by The Mayo Clinic to evaluate and implement safeguards against common and even unforeseen cyberthreats.

This wasn’t always a focus, however. The American Reinvestment and Recovery Act of 2009 proved useful for advancing health IT, but it didn’t fully account for security. And with data breaches and the number of records breached on the rise, it is paramount that large healthcare organizations take action, especially considering the human lives that are at play.

“Medical device security is a patient safety issue,” Greenhalgh said. “People are hooked up to these devices, so if there is a problem with the device, it could have adverse outcomes.”

Fortunately, the Mayo Clinic’s HTM division, which was founded in 2019, has since taken a holistic approach to overcoming this challenge. With four different medical institutes and more than 50,000 network-connected devices, it was a challenge for The Mayo Clinic to maintain adequate regulation, specifically in the verification, maintenance, tracking, and documentation of devices and their associated components.  

At its inception, Griggs said the HTM division’s goals included:

  • Bringing diverse skills together and converging specialties
  • Developing a program to align with industry standards
  • Building out a mission statement and establishing some goals and objectives
  • Leveraging next-gen tools

Griggs reinforced that these goals still hold true, and since the division’s start, headway has been made, particularly with the use of two tools: Ordr and Nuvolo.

“Ordr is a passive network monitoring tool that’s used to discover and support our process. It provides us with additional detail, especially from an inventory aspect, but it also provides some phenomenal abilities with advanced flow analytics, giving us daily tells into how we can actually segment the network,” Griggs said.

Nuvolo, on the other hand, is a computerized maintenance management system (CMMS) serving as a “day-to-day tool used by HTM for standard preventive maintenance features.” The plan, Griggs said, is to develop Nuvolo further to integrate a cybersecurity module, one that could identify emerging threats.

Although there are various other supplementary tools within the framework, at the core of its preventive workflow is the Proactive Security Model. This model dictates that for every device added there be a risk assessment request prior to purchase, then information regarding the vendor be compiled. Following this, a risk assessment would be performed, and if passed, a security profile would be built, and the device would be installed.

To better illustrate the current state of the industry that this framework addresses, Greenhalgh and Griggs used a sinking boat as a metaphor. Many of the approaches seen today involve throwing buckets of water out of the boat, or handling each preexisting threat on a case-by-case basis. However, the proposed solution is to “plug” the hole in the boat. That is, to stop devices from coming into an institution without proper vetting.

Outside of the Mayo Clinic’s efforts, the U.S. government is working towards the Software Bill of Materials (SBOM), which is “trying to identify the components and drivers and operating systems inside the devices” and providing guidance on how to navigate threats and their corresponding mitigation strategies.

Even with these efforts in place, there is still much work to be done to protect against cybersecurity threats.

“It’s a journey not a destination—it will take time,” Griggs said.