Presented by Armis

Over the last five years, health care institutions have undergone a digital transformation. They’ve gone from manual, internal processes for sharing information to integrated workflows with electronic health records, bringing medical devices and information online and into the health IT ecosystem. Those application suites have improved everything from communication to the quality of care, and collaboration between clinical teams.

“On the flip side, the digital transformation has also made IT departments in these organizations acutely aware of the brand-new vulnerabilities that these solutions incur — and the upstream/downstream effect that security breaches can have on the organization,” says Sumit Sehgal, strategic product marketing director at Armis, a unified asset visibility and security organization.

The new ecosystem vulnerabilities

From blood glucose monitors to medical imaging devices and pacemakers, there are already 430 million connected medical devices worldwide, spread across departments and use cases. And similar devices are connected in different ways. For example, a hospital may deploy four different types of pacemakers to keep a patient’s heart rhythm constant, but depending on the age and the makeup of the devices, how they communicate and how they interact with IT infrastructure, can be completely different. The same can be said for all of the CT scanners, MRI machines, and pharmacy systems in use.

“When we talk about connected devices, it’s not so much just understanding what the device is,” Sehgal says. “It’s about understanding how that device is functioning in context for that health system that is providing care.”

These devices have added an entirely new layer of complexity for IT departments to handle, from patch levels to security configurations to updates, as well as how they’re communicating across health care systems, and how they’re connected to other sensitive networks.

“That’s probably the biggest set of vulnerabilities that health care organizations have to deal with,” Sehgal says. “That’s on top of the work they already do for all the other IT infrastructure as well.”

For example, infrastructure ecosystem vulnerabilities extend to the environmental controls that are critical to medical care, such as the building management systems and everything from potable water delivery to pressure control sensors and elevator control mechanisms.

“The second level of the vulnerability assessment process comes with the realization that there’s more than just medical devices to deal with,” Sehgal says. “It’s a big challenge for health care institutions, and they have limited expertise in how to deal with it.”

The impact of healthcare ecosystem vulnerabilities

“It’s not only just about the impact of what happens when these vulnerabilities are exploited. It’s also tied to the resilience of the health systems and how effective they are in trying to navigate these situations that dictate the outcome,” Sehgal says.

From an IT risk management perspective, the most obvious impact of this digitization of health care is the risk of data breaches. Depending on how information is flowing in and out of these devices, and how they’re integrated into the hospital network, the risks range from leakage to unauthorized access of confidential, protected health information. A Ponemon Institute study found that 54% of health care providers experienced at least one patient data breach within the past two years, while 41% encountered six or more. Each of these breaches can expose 10K patient records and cost up to $2.75 million on average.

Less commonly considered is the impact of digital technology breakdowns. Clinicians increasingly rely on these systems to make treatment decisions, and breakdowns directly affect their ability to deliver care. These failures can also disrupt the continuity of operations, delaying the process of care and delivery of medication, and often incurring financial overhead because alternate workflows aren’t nearly as efficient. Sehgal notes that while the impact on patient safety is often talked about, the actual effects on it are rare because they are protected by layers of workflows — the real pain is in needing to rejigger workflows, cost issues, and delays in care.

Securing care delivery

Right from the start, every organization that’s having a conversation on medical device security needs to understand that this is not an IT-only or clinical-only undertaking, Sehgal says. Security requires a governance process that pulls clinical teams together with biomedical, IT, and information security, for conversations around what success looks like for your own health system.

Secondly, you need to retool your security team training and ensure that partners helping you with security response or security strategy have the appropriate capability.

But most importantly, you need to focus on more than just medical devices.

“Medical devices are the start of it, but that’s not everything that touches your patient,” Sehgal explains. “From point of admission to point of discharge, your information can be passed through about 30 applications and touched by a couple of hundred people.”

He urges organizations to look at  security approaches such as vulnerability management, including asset management, and threat modeling to calculate the risks based on the vulnerabilities and probability of impact tied to clinical area and patient flow.

“Given the issues with money, time, and priorities that organizations have today, what they can do is to take what processes they already have and try to apply a more real-time approach to vulnerability management and modeling,” Sehgal explains. “Whether they’re dealing with things like a building management system or a CT scanner, everything is tied to an outcome in relation to how they deliver care to a patient.”

Organizations can also focus on their tabletop drills — going through theoretical scenarios and developing responses. Tabletop drills are important because they illustrate potential choke points or potential single points of failure in a response process. What they don’t do is actually give you the muscle memory of what it takes to respond to a scenario in real-time.

For example, a tabletop drill might suggest replacing a compromised asset in four minutes — but that’s not accounting for the real world, in which it might take ten minutes just to find an IT staff member, and then there’s an additional ten-minute walk for that individual to get to the compromised asset. That just added 20 minutes per device times 400 devices affected, which suddenly creates a massive, unaccounted-for problem.

Health care institutions that are doing security right are collaborating with the security operations team to develop their emergency management functions, bringing together security response and operations continuity.

“Leveraging solutions in this space, like those that Armis provides, helps health care organizations identify very quickly where their weak points are, and they can then take that information and map it to how they deliver care,” Sehgal explains.

Setting priorities for risk management

Sehgal notes that security solutions are very good at letting people know what they have and what’s wrong with it, but don’t automatically know what’s important. Which specialties are important from a revenue perspective for a health system? Which ER workflow is more important?

“Every health system has their risk tolerance with regard to what they can live with and without in the context of how they provide care,” Sehgal says. “That’s not an IT solution problem. That’s a process problem that needs to be addressed.”

To help manage priorities, an organization can identify a manageable scope, isolating and focusing on a specific area, a specific specialty, or a specific project. That helps them adjust to the new reality of securing more than just IT assets, from a process perspective and a workforce training perspective as well. From there, they can have the conversation inside the appropriate clinical and enterprise risk management teams in the hospital environment, to have what Sehgal calls “an introspectively honest conversation” about the capacity of the organization in terms of dealing with incidents.

“They should ask what are the thresholds for downtime and data loss we as an organization deal with and for how long,” says Sehgal. “Plus, which partners can they work with to make sure they have the help they need when things go awry.”

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact