Protecting healthcare systems against cyber threats requires intensive training and education throughout the workforce. Scott Trevino, senior vice president of product management and solutions at Indianapolis-based TRIMEDX, discusses the innovative steps the clinical asset management company is taking to prepare their associates for the future.
24×7 Magazine: Why did TRIMEDX decide to form a partnership with CyberVista?
Scott Trevino: CyberVista is an innovative cybersecurity education and workforce development company that provides organizations with the people, knowledge, and skills required to defend the most critical assets. Many health systems struggle to source this need in the face of unprecedented demand for cybersecurity expertise. TRIMEDX’s comprehensive clinical asset management solution paired with CyberVista’s training expertise allows us to continue educating our workforce with the most current cybersecurity knowledge, skills, and abilities. This effort continues to put the patient first in serving the healthcare providers.
24×7: What will participants learn at CE CYBER Academy?
Trevino: TRIMEDX associates will enhance their knowledge on the importance of clinical engineering in cybersecurity. They will learn the latest skills and strategies around the importance and process of securing sensitive data and information. And they will increase their understanding and awareness on social engineering attack methods, consequences, and preventions. In addition, TRIMEDX will be making CyberVista’s Security+, CISM, and CISSP certification training courses available to its cyber specialists, and executive leadership will have access to a four-part offering paired with a cyber incident tabletop exercise.
24×7: How is the rise in connected devices creating problems from a cybersecurity prospective?
Trevino: By 2025, it is estimated that 68% of medical devices will connect to provider networks, making it crucial for health systems to have the ability to accurately track medical devices, have accurate information on their operating systems, and respond appropriately to impacted medical devices. There is a need for clinical engineering and information technology teams to work together in a completely different way.
24×7: What are some of the biggest misconceptions about medical device cybersecurity and why?
Trevino: There are numerous medical devices in use across U.S. health systems that contain old PC and networking hardware, operating systems, and application software. Today, most medical device cybersecurity vulnerabilities, when risk-assessed by original equipment manufacturers (OEMs), are not deemed significant enough to require remediation, such as with a recall from the FDA. OEMs are, therefore, free to voluntarily choose to address these risks and vulnerabilities however they choose. Some proactively create solutions for their customers and roll them out to their affected products. Others take the opportunity to drive new sales of equipment and costly extended support contracts linking cyber upgrades to the service contract sale. And others stop support for the device or even choose not to address the risk altogether.
However, as we have seen more commonly in recent months, the vulnerability of connected medical devices is creating a growing threat to health system networks. In January 2020, the FDA and U.S. Department of Homeland Security’s Industrial Control Systems/Cyber Emergency Response Team both issued warnings related to medical monitoring devices manufactured by GE Healthcare. This is not the first time the healthcare industry has seen consequences of vulnerable medical devices from an OEM. These types of threats can have a direct effect on patient safety.
When a connected medical device is not secure on a network, or has vulnerabilities from OEM design, the threats to patients can significantly increase. Risks such as false or suppressed alarms, or even tampered data on devices, could potentially result in incorrect clinical decision making, administration of patient care, or other effects.
The landscape of responsibility within health systems is also changing as to who manages the OEM and manufacturers of these clinical assets. Given how these assets are becoming more network-connected for the sake of faster dispersion of patient records and data, the responsibility for these devices is largely being shared with health system IT departments. But this may not have traditionally been in their domain, or they may not be equipped or trained to understand the nuances of these devices.
24×7: Why should other companies implement training programs like CE CYBER Academy?
Trevino: Some of the top risks in a hospital’s ecosystem include ransomware, data breaches, employee negligence, and bring your own device (BYOD) policies. Ransomware is ever-evolving in its approach, but users of devices connected to a hospital network need to be aware of phishing scams and be mindful before clicking on any links, ensuring first that they are from a trusted source.
Data breaches are widespread in the health sector, as we’ve seen in recent news, and to help mitigate these occurrences, hospital staff and IT should make sure their credentials are safe and secure. Any device connected to the network not in use should also be locked and stored away if necessary. Finally, BYOD is becoming more and more prevalent in a growing number of fields, but especially in healthcare. There must be security protocols in place to make sure that user-owned devices are still protected to keep the overall network protected.
Good article! ANYONE going into the biomedical or imaging service/maintenance industry these days has to be proactive and proficient with computerized system troubleshooting, systems software and computer networking technologies. At a minimum I recommend Comp TIA A+ certification training and Comp TIA Network + certification along with the necessary acquired skills to calibrate, maintain and repair the equipment at hand which in my case is diagnostic imaging equipment. With that said I believe the security aspects of any hospital network connected device or equipment belongs to the IT department first and delegated from there to biomed to arrange for equipment software fix patches or upgrades and for biomed to track that these repairs have been completed. The fact that a large amount of hospital networked equipment falls under the responsibility of HTM/Biomed departments is a factor as to why so many HTM and IT departments are merging together.
http://www.rapidxray.biz