Featured Product
This Week in Quality Digest Live
Management Features
Bruce Hamilton
Will lean thinking inform the designers of AI?
Mark Mortensen
Leaders don’t have to choose between delivering results and supporting employees
Gleb Tsipursky
Returning to the office harms diversity
Meridith Wentz
A follow-up conversation with organizational leaders  
Alexander Mirza
A wake-up call for hotel CEOs

More Features

Management News
Gartner survey reveals how organizations are developing their use of AI
While many executives believe themselves immune, research says otherwise.
Tactics aim to improve job quality and retain a high-performing workforce
Increases Xcelerator capabilities for climate-neutral aviation
Demonstrating a commitment to keeping people safe and organizations running
Sept. 28–29, 2022, at the MassMutual Center in Springfield, MA
EPM service provider excels in helping customers work with EPM products
It’s not exactly a labor shortage

More News

Derek Hills


How to Close the Loopholes on Medical Device Cybersecurity

Five steps for success

Published: Tuesday, February 8, 2022 - 13:03

The importance of medical device cybersecurity is growing exponentially. As more devices become connected to the internet, threats to public safety mount. Cybercriminals, formerly interested in stealing financial or medical records, have begun to essentially hold healthcare providers hostage by using ransomware to lock users out of medical devices. Even more sinister possibilities await.

For example, McAfee researchers discovered vulnerabilities in two types of infusion pumps where unsuspecting patients could overdose at the hands of malicious hackers, HealthITSecurity reports.

Medical devices aren’t like typical IT endpoints, such as laptops, where security updates are pushed out over the internet by the manufacturer, and third-party applications alone can put up a defense. The risk to medical devices is more open-ended.

Where should quality management professionals start when implementing a cybersecurity strategy to close the loopholes on medical device safety? The process begins by recognizing the barriers to success within the health system itself.

Whose job is it, anyway?

Which hospital team is responsible for medical device cybersecurity? Is it the clinical engineering team that manages the hospital’s medical equipment? Is it the information technology team that manages the hospital’s network? Both? To what degree? Are the lines of responsibility clear?

Once medical equipment is connected to a hospital’s network, the lines of responsibility are blurred. Adding to the uncertainty is defining what even constitutes a medical device. Is a refrigerator that stores vaccines now considered a medical device? Who manages that? What’s the single source for known vulnerabilities and approved patches?

Clear lines of responsibility must be drawn so biomedical engineering and IT teams know who’s responsible for ensuring that devices are patched, updated, and otherwise complying with the latest manufacturer specifications.

Once leadership, the clinical engineering teams, and the IT teams are all on the same page with clearly defined roles, the next step is to implement a plan of action.

A five-step outline to begin medical device cybersecurity

NIST’s Cybersecurity Framework outlines five basic functions to establish your organization’s cybersecurity foundation:
1. Identify. Is there an accurate inventory of all medical devices and software? Are cybersecurity procedures aligned across clinical engineering and IT responsibilities?
2. Protect. How is access to medical devices, both physical and remote, protected? Are all users properly trained? Are access authorizations reviewed and managed?
3. Detect. Are devices monitored to spot cybersecurity issues? Is personnel activity monitored to detect potential cybersecurity events?
4. Respond. Are response plans created, communicated, executed, and maintained?
5. Recover. Do clinical engineering and IT teams undergo recovery planning, training, and testing? Is there a strategy to repair the reputation of the hospital as well?

The road map for shared responsibility becomes critical as you outline your approach—and not just for the sake of clarity. Medical device cybersecurity doesn’t rely on cybersecurity protocols alone.

Medical cybersecurity hinges on clinical asset management

Medical device cybersecurity is one of three elements that constitute comprehensive clinical asset management. But each element is only as strong as the other two, which are clinical engineering and clinical asset optimization.

Clinical engineering focuses on factors such as inventory visibility and device status. Clinical asset optimization focuses on lifecycle management. This includes factors such as how parts availability, recalls, and downtime guide decisions on whether to replace, upgrade, dispose of, or reallocate a device.

Cybersecurity is tethered to each. Here’s an example: Ensuring that all your devices are cybersecure requires an accurate inventory of exactly what devices you have and exactly where they are within the system. Are they all patched or updated? Do any have an outstanding recall? A further consideration is whether an original equipment manufacturer (OEM) still supports a device. If not, does it make financial sense to replace the device now, or instead find some software or hardware workaround to mitigate the risk?

Research by consulting and data analytics firm Fidelum Partners indicates that although healthcare executives recognize the importance of cybersecurity needs, they place less importance on comprehensive clinical asset management itself, which is critical to the effective cybersecurity protection they seek. Clinical engineering, IT, and leadership teams must understand this interdependency as they devise a cybersecurity strategy and execute a plan.

Devise a plan and implement it

With the barriers to cybersecurity removed and a better understanding of what’s needed, map out a plan.

First, be sure your core biomed team is staffed adequately to meet the clinical needs. Revisit your inventory to ensure it’s visible and accurate.

Up next are other essential functions, such as vulnerability tracking, associated device identification, and OEM management to streamline patch management.

The initial task of hunting for vulnerabilities can seem intimidating. So, start by identifying devices with current OEM-validated patches to install. As you go, record your efforts in your computerized maintenance management system (CMMS) inventory to create a history of work for your medical devices.

Integrating a medical-device security platform with real-time monitoring capabilities with your CMMS and inventory is a key task. By automating and expanding the capabilities of your inventory, you improve data accuracy by enabling collaboration between your teams.

For hospitals and health systems, medical device security is critical. Too much is now at stake to ignore investing in a robust cybersecurity defense. The steps going forward won’t necessarily be easy. But by recognizing the internal obstacles and the scope of what’s needed, a pragmatic approach can help ensure both institutional and patient safety.


About The Author

Derek Hills’s picture

Derek Hills

Derek Hills is a manager in product management at TRIMEDX, specifically focused on its Device Safety & Security solution, including medical device cybersecurity, cyber technology, and risk reduction. Having previously served as a business analyst at TRIMEDX, Digital Management LLC, and Union Gas, Derek is also Pragmatic Certified Product Manager, a Certified SAFe 5 Practitioner, a Professional Scrum Product Owner I (PSPO I), and a Professional Scrum Master I (PSM I).