Protecting healthcare systems against cyber threats requires intensive training and education throughout the workforce. Scott Trevino, senior vice president of product management and solutions at Indianapolis-based TRIMEDX, discusses the innovative steps the clinical asset management company is taking to prepare their associates for the future.

24×7 Magazine: Why did TRIMEDX decide to form a partnership with CyberVista? 

Scott Trevino: CyberVista is an innovative cybersecurity education and workforce development company that provides organizations with the people, knowledge, and skills required to defend the most critical assets. Many health systems struggle to source this need in the face of unprecedented demand for cybersecurity expertise. TRIMEDX’s comprehensive clinical asset management solution paired with CyberVista’s training expertise allows us to continue educating our workforce with the most current cybersecurity knowledge, skills, and abilities. This effort continues to put the patient first in serving the healthcare providers.

24×7: What will participants learn at CE CYBER Academy?

Trevino: TRIMEDX associates will enhance their knowledge on the importance of clinical engineering in cybersecurity. They will learn the latest skills and strategies around the importance and process of securing sensitive data and information. And they will increase their understanding and awareness on social engineering attack methods, consequences, and preventions. In addition, TRIMEDX will be making CyberVista’s Security+, CISM, and CISSP certification training courses available to its cyber specialists, and executive leadership will have access to a four-part offering paired with a cyber incident tabletop exercise.

24×7: How is the rise in connected devices creating problems from a cybersecurity prospective?

Trevino: By 2025, it is estimated that 68% of medical devices will connect to provider networks, making it crucial for health systems to have the ability to accurately track medical devices, have accurate information on their operating systems, and respond appropriately to impacted medical devices. There is a need for clinical engineering and information technology teams to work together in a completely different way.

24×7: What are some of the biggest misconceptions about medical device cybersecurity and why?

Trevino: There are numerous medical devices in use across U.S. health systems that contain old PC and networking hardware, operating systems, and application software. Today, most medical device cybersecurity vulnerabilities, when risk-assessed by original equipment manufacturers (OEMs), are not deemed significant enough to require remediation, such as with a recall from the FDA. OEMs are, therefore, free to voluntarily choose to address these risks and vulnerabilities however they choose. Some proactively create solutions for their customers and roll them out to their affected products. Others take the opportunity to drive new sales of equipment and costly extended support contracts linking cyber upgrades to the service contract sale. And others stop support for the device or even choose not to address the risk altogether. 

However, as we have seen more commonly in recent months, the vulnerability of connected medical devices is creating a growing threat to health system networks. In January 2020, the FDA and U.S. Department of Homeland Security’s Industrial Control Systems/Cyber Emergency Response Team both issued warnings related to medical monitoring devices manufactured by GE Healthcare. This is not the first time the healthcare industry has seen consequences of vulnerable medical devices from an OEM. These types of threats can have a direct effect on patient safety.

When a connected medical device is not secure on a network, or has vulnerabilities from OEM design, the threats to patients can significantly increase. Risks such as false or suppressed alarms, or even tampered data on devices, could potentially result in incorrect clinical decision making, administration of patient care, or other effects. 

The landscape of responsibility within health systems is also changing as to who manages the OEM and manufacturers of these clinical assets. Given how these assets are becoming more network-connected for the sake of faster dispersion of patient records and data, the responsibility for these devices is largely being shared with health system IT departments. But this may not have traditionally been in their domain, or they may not be equipped or trained to understand the nuances of these devices.

24×7: Why should other companies implement training programs like CE CYBER Academy?

Trevino: Some of the top risks in a hospital’s ecosystem include ransomware, data breaches, employee negligence, and bring your own device (BYOD) policies. Ransomware is ever-evolving in its approach, but users of devices connected to a hospital network need to be aware of phishing scams and be mindful before clicking on any links, ensuring first that they are from a trusted source.

Data breaches are widespread in the health sector, as we’ve seen in recent news, and to help mitigate these occurrences, hospital staff and IT should make sure their credentials are safe and secure. Any device connected to the network not in use should also be locked and stored away if necessary. Finally, BYOD is becoming more and more prevalent in a growing number of fields, but especially in healthcare. There must be security protocols in place to make sure that user-owned devices are still protected to keep the overall network protected.