Coordinating Stakeholders across the Hospital Ecosystem for Risk Reduction in IoMT

Securing connected medical devices isn’t just a cybersecurity challenge; it’s an operational coordination issue. As healthcare delivery organizations (HDOs) increasingly rely on Internet of Medical Things (IoMT) devices, coordinating various stakeholders across the IoMT ecosystem becomes imperative to mitigating device risks. Understanding who the key stakeholders are and how to engage them effectively is critical.

Without clear ownership, tasks like patching or performing risk assessments can easily fall through the cracks, leaving healthcare organizations vulnerable. Cross-functional alignment between security and IT, healthcare technology management (HTM)/biomedical teams, and procurement is essential to reducing device-related risk and maintaining continuity. 

By adopting a Responsible, Accountable, Consulted, Informed (RACI) matrix, HDOs can clarify responsibilities, prevent miscommunication, and accelerate incident response, ultimately strengthening the organization’s ability to mitigate device risk across the entire network.

The Key Players in IoMT Risk Reduction

Reducing IoMT device risk requires tight coordination across departments, which makes the RACI model an indispensable tool. By clearly defining who is responsible for each task, RACI ensures that no part of the security process falls through the cracks. By aligning key players and dividing responsibilities based on a clear and easy-to-follow framework, HDOs can avoid finger-pointing and strengthen their IoMT security posture.

1. Information Security (IS) 

Cybersecurity, network, infrastructure, IT teams, and key leaders, such as the CISO, all fall under information security. Information Security (IS) is the strategic leader of IoMT risk reduction. From vulnerability remediation to network hardening, IS teams orchestrate security efforts across departments. They act as the connective tissue between governance, technology, and clinical safety, protecting IoMT devices and ensuring no interruptions in patient care delivery.

IS functions act as the strategic and operational drivers of IoMT risk reduction. They are accountable for remediation planning, network segmentation, anomaly response, and overall program success.

Lead identification and mitigation of high-risk vulnerabilities

IS stakeholders conduct threat assessments, identify vulnerabilities, and implement mitigation strategies to protect IoMT devices.

Design and implement network control strategies

Network segmentation and robust access controls are key components of an IoMT security strategy. IS stakeholders serve as both drivers and responsible parties in collaboration with HTM teams.

Develop and lead the medical device security program

A comprehensive security program— including policies, standard operating procedures, and cross-functional coordination efforts—is essential to governing IoMT risk management. For enterprise organizations, this may include contributing to a device security playbook or helping drive external management services in key activities such as tabletop exercises.

Monitor performance through KPIs

Stakeholders in the IS function are responsible for monitoring security metrics, ensuring continuous improvement, and informing stakeholders of progress. If an HDO leverages a third-party service, the IS team will drive risk-reduction goals and work with the third-party service to produce quantitative metrics that demonstrate significant risk reduction.

2. Healthcare Technology Management (HTM) Teams

HTM teams, which are often composed of biomedical professionals, are the front-line operators of IoMT device security. Their experience often lies in device calibration and usage, including service history and clinical context, making them essential partners in proactive risk mitigation and real-time response. 

It’s worth noting that as HDOs continue to face reduced budgets and staffing shortages, many HTM teams are frequently asked to take on IS functions, such as vulnerability mitigation and patching. However, these functions fall outside the HTM team’s typical realm of expertise, creating a knowledge gap that must be addressed.

Regardless, HTM teams form the backbone of operational risk reduction for IoMT devices.

Manage and maintain the medical device asset inventory. 

HTM teams are responsible for keeping an accurate and up-to-date inventory of all medical devices, which is crucial for risk assessment and management. While this may sound straightforward, device visibility is challenging, especially for HDOs with a large, mobile fleet of IoMT devices. HTM teams can leverage an IoMT security solution to gain visibility into how many connected devices are on the network and which are vulnerable to high-risk attack vectors. 

Execute remediation and mitigation tasks for vulnerabilities

While IS stakeholders and cybersecurity leaders are often drivers of the organization’s patch process, HTM teams are increasingly becoming involved in applying patches, updates, and other corrective actions to address identified vulnerabilities.

Because many HTM teams lack targeted cybersecurity training, they may be unaware of emerging attack trends and struggle with vulnerability and remediation prioritization. To migrate this, HDOs can leverage third-party managed services to augment the responsibilities of IS and HTM teams to mitigate device risk, including applying patches and security updates for IoMT devices.

3. Procurement (Vendor)

Procurement’s impact comes through vendor engagement. By enforcing cybersecurity standards at the point of acquisition and holding vendors accountable to support updates and security requirements, they reduce risk before a device is introduced to the network.

Leveraging an IoMT Security RFP Template can help facilitate the vendor selection process, ensuring HDOs select the right vendor to augment their existing expertise and up-level any skill gaps. 

Quiet but critical support for device risk reduction

In general, procurement teams are consulted to ensure new devices meet security requirements and integrate seamlessly into existing network controls. HDOs that leverage an IoMT security solution may involve procurement teams in conducting a pre-purchase assessment on any potential new devices.

While this team has no direct role in device risk mitigation, they may be informed of ongoing remediation efforts and outcomes to align procurement strategies with security needs. Since older devices can be kept secure with additional protection, they may also be interested in this additional benefit – delayed device decommissioning – as part of their financial role.

Enforce cybersecurity standards during procurement

Not all IoMT security vendors are created equal, and tracking the differences can be challenging. Some vendors may specialize in areas like device inventory, while others focus on mitigating risk across the entire network and provide specific insights and recommendations. Procurement plays a key supporting role by selecting vendors that meet the organization’s cybersecurity standards.

4. Third-Party Independent Service Organizations (ISOs) 

Third-party partners are strategic enablers in IoMT security, providing technical insights and ensuring that internal teams can move faster and more confidently with risk reduction initiatives.

Asset visibility, remediation planning, and execution

Third-party ISOs can help drive MDM and vendor relationships, guiding internal teams to improve the overall security posture of devices. Third-party partners also have deep expertise in connected device security, allowing them to guide teams to prioritize devices that are most susceptible to risk and providing teams with easy-to-understand risk mitigation steps for each device, clinically validated to reduce risk in the context of their network.

Consult on anomaly mitigation and playbook completion

Third-party partners are experts in handling device anomalies and developing effective response strategies. Often, these partners have incident response and risk mitigation services that HDOs can leverage to augment their existing capabilities or use to collaborate with internal teams to develop detailed security playbooks that define how to respond to a cyberattack.

Best Practices for Building a Collaborative Culture

Implementing the RACI framework helps define how different teams and individual collaborators should collaborate on each area of the IoMT risk mitigation program. Leveraging an IoMT security solution like the Asimily platform helps teams gather metrics and critical insights into areas such as high-risk vulnerabilities and anomalies that are used to understand risk across the network and also for tasking.

For example, under RACI, a defined team member (i.e., cybersecurity leader) may be tasked with implementing new network controls for all IoMT devices on the network. Suppose the cybersecurity leader is leveraging Asimily’s Risk Reduction Services team. In that case, they can use the Asimily platform to gain insights into how many devices are on the network and what controls are in place. While the cybersecurity header is ultimately accountable for the final outcome, by leveraging the strengths of a third-party partner, they can ensure the controls are implemented uniformly across all devices.

By clearly delineating roles and responsibilities using the RACI matrix, healthcare organizations can enhance coordination among stakeholders, streamline risk mitigation efforts, and strengthen the security posture of their IoMT ecosystems.

Risk Reduction is a Team Sport; Asimily Can Help

IoMT security requires collaboration across the entire hospital ecosystem. By clearly aligning roles and responsibilities across all stakeholders, HDOs can reduce confusion, close security gaps, and respond more efficiently to threats. This alignment is key to shrinking the attack surface and ensuring that medical devices support, rather than compromise, patient care.

Asimily’s breadth and depth of IoMT platform capabilities and expertise in device risk management make it uniquely qualified to help HDOs manage risk end-to-end across the entire network. To provide organizations with additional support, Asimily’s Risk Reduction Services team helps educate teams on their understanding of their IoMT security posture and mentors them to scale their cybersecurity knowledge.

Interested in learning how Asimily can help your HTM team scale their cybersecurity expertise? Reach out now to book a demo.