A new study conducted by the Healthcare Information and Management Systems Society (HIMSS) and Paramus, N.J.-based Nuvolo assessed cybersecurity preparedness in the healthcare sector—particularly as it relates to the surge of connected devices and the proliferation of the Internet of Medical Things. And the results, says Nuvolo’s Vice President of Global Marketing Ben Person, were very telling. Below, he shares what surprised him most.

24×7 Magazine: What were the most notable results of this survey?

Ben Person: While over 80% of respondents said they were concerned about threats to operational technology (OT), OT security received only 9% of the IT budget, on average.

Ben Person

24×7: Wow. It’s shocking that three out of four healthcare systems surveyed don’t factor OT security in their IT budgets at all. Why aren’t healthcare organizations, or HCOs, investing in OT security?

Person: Primarily due to a lack of knowledge about what constitutes an effective OT security program. For instance, a healthcare system may not have an OT security team if management expects that such roles fall under the governance of IT.

24×7: What can HCOs do to foster collaboration between clinical engineering and IT teams?

Person: Closing the OT security gap requires a financial and organizational commitment. For example, giving the clinical engineering team representation at the C-suite level and the opportunity to influence the allocation of resources and spending for OT security.

24×7: What will it take for healthcare organizations to actively secure their medical devices?

Person: Educating the HCOs that OT security monitoring tools aren’t enough and that a system of action, based on a single, trusted inventory of detailed device profiles—such as maintenance history, the device owner’s name, and what the device is currently being used for—is the only safe way to assist in medical device security. We feel that many third-party OT security monitoring tools stop short of offering what healthcare systems require to make their OT security effective: response and remediation.

24×7: What exactly is ‘response and remediation?’

Person: It’s not enough to know that a security event occurred or that a medical device identified a vulnerability. You need to know what devices are impacted, information about their maintenance history, and who owns the device—that is, the device warranty and service contract. Then, response and remediation can take place, which involves a system of actions to generate work orders, for the appropriate engineer to correct the device. In addition, only authorized engineers can work on a medical device—and that’s not usually an IT person.

24×7: In a white paper reporting the survey results, Nuvolo makes a case for healthcare security technology. How does Nuvolo’s ‘Intelligence Hub and a System of Action’ compare to third-party security monitoring tools?

Person: Security monitoring tools are just that—they “monitor.” They can tell you that a security event is taking place or that a vulnerability has been identified. What they can’t do is provide information on the device’s maintenance history, who owns the device, what the device is currently doing—for example, if it’s an infusion pump, is it delivering chemo or saline?

Nuvolo adds the inventory as a single source of truth for all devices, connected or not, that’s updated every time an engineer works on a device. By integrating the inventory with the security monitoring tool, an “intelligence hub” is created. This hub is in the same platform as a service management component. Thus, the system of action creates the work order, based on what’s seen in the intelligence hub to dispatch the engineer to correct the device.

24×7: For the 7% of those surveyed who reported having integrated their lnternet  of Things/lnternet of Medical Things security monitoring with their computerized maintenance management system (CMMS), what disadvantages do they face?

Person: Having monitoring integrated with a CMMS is a step forward. The problem is, there needs to be a system of action to then respond and remediate, making sure work orders are sent only to the personnel authorized to work on the device.