Medical Device Cyber Risk: An Enterprise ProblemLessons from Duke University Health Systems
Medical device cybersecurity risks should be viewed as an enterprise problem, say Tracey Hughes of Duke University Health Systems and Clyde Hewitt of security consultancy CynergisTek, who outline critical security steps.
Hughes and Hewitt will offer a Feb. 14 presentation on biomedical device cybersecurity practices at the HIMSS19 conference in Orlando, Florida.
"The very first thing [healthcare entities] miss is addressing biomedical device risk as an enterprise problem," Hewitt says in an interview with Information Security Media Group. "Many organizations have outsourced their biomedical devices management to third parties, and they end up treating these devices as physical assets to be tracked though the financial system, but they don't necessarily treat them as information technology assets that need to be looked at as a threat to the network and the environment."
As a result, many entities often miss assessing whether these devices can be compromised, affecting patient safety, he says.
An important initial step in addressing the cybersecurity risks involving medical devices is getting an accurate inventory of all the medical devices that are part of a healthcare entity's environment - a task that is often more challenging than it might appear, Hughes says in the joint interview.
In Duke Health's effort to bolster its cybersecurity practices around biomedical equipment, Hughes says, "one of the first things we did was recognize that we may not have an accurate inventory of all our connected medical devices."
Clinical engineering and health technology management programs "are really good about asset management and keeping inventories of medical equipment with regard to serial number, model - all the information you would normally take from that device," she says. That type of inventory tracking, however, usually doesn't look at device operating systems, software revision levels and what patches can be applied, she notes.
"First and foremost at Duke was to go back and identify the pieces of equipment that connect to our network - or have the potential to connect," she says. Once important details are gathered about the inventory of medical devices in an environment, "then you can move into your risk mitigation strategy," she says.
In the interview (see audio link below photo), Hughes and Hewitt also discuss:
- The potential risks to medical devices when security scanning networks;
- Top cybersecurity threats facing medical devices;
- Other steps to bolster the cybersecurity of biomedical devices.
Hughes is associate chief operating officer and senior director of clinical engineering for Duke Health Technology Solutions at Duke University Health System. She has more than 25 years of leadership experience in clinical engineering and healthcare technology management. Her current responsibilities include oversight of the clinical engineering management program at Duke Health with over 50,000 active medical devices.
Hewitt is vice president of security strategy at CynergisTek. He has more than 30 years of executive leadership experience. Hewitt retired from the United States Air Force after serving in various senior IT technology positions, later working in the private sector in various information security management roles. Most recently, he was the vice president and chief security officer for Allscripts Healthcare.