What goes into effectively securing medical devices and equipment from cyber attacks to ensure patient safety? It’s people like Paul Moore in Clinical Technical Services who make the difference.
Paul Moore came to Methodist Le Bonheur Healthcare (MLH) near the end of the COVID-pandemic looking for an opportunity to give back to humanity–where there was more at stake than corporate profits. MLH has a network of six hospitals, 9,500 connected medical devices, and 13,000 employees. At MLH, Paul’s top priority is to support the front lines in their role of providing quality patient care.
In the Clinical Technical Services division, Paul is responsible for cybersecurity for medical equipment, as well as managing the processes for all clinical-based applications and clinical equipment.
When asked about the relationship between Clinical Engineering and IT, Paul said he works as a go-between in the two specialties. Paul works with the endpoint medical devices and equipment like laptops, PCs, and phones, does all the patching, and manages the access controls.
Paul explains, “The focus on patient safety and mission-critical care aligns closely with where I am at in my life. Any time we can affect a patient’s well-being – whether it’s making sure that equipment is available for tests or ensuring software works properly for care providers to save a life – that’s a huge win for my career.”
Life as a Technician Before Healthcare
Paul spent many years working in the areas of business continuity, disaster recovery, and finance. He’s written code and systems for financial organizations, financial products, and the banking industry.
“I started out doing IT support for companies that produce statements for 401(k)s. Next, I came over to FedEx after Y2K – do you remember that? Two digits, oh, the world’s going to end…? I stayed at FedEx for many years after that.”
Paul wrote the business continuity and disaster recovery programs for FedEx Express. That’s what gave him exposure to audit security which led him to protect brands and systems.
Paul also had an opportunity to contribute to the FEMA National Disaster Recovery Framework under President Obama. Paul proudly states, “There’s a section in there that I contributed to so that’s kind of my big claim to fame in this industry.”
“FedEx Express is part of the national infrastructure. That means that in the event of a disaster, the federal government looks to Federal Express for its network of moving packages and people around the country. They’re considered to be one of the best in the world.”
Paul is inspired by Fred Smith, founder of the FedEx Corporation and developer of the hub and spoke model. This is the model for the delivery of packages that revolutionized logistics and shipping. FedEx also has the largest privately owned fleet of aircraft.
A Human-Centered Career
“If a laptop or PC connects to an MRI machine, then the laptop can now be considered a piece of medical equipment. This means that there are all these other considerations that we must apply to it now, whether it’s through FDA or other requirements.”
“But you also approach it a little bit differently working with Clinical Engineering. For example, let’s say your Windows PC needs to be patched when Microsoft sends out an update. Normally, I’d have to push the update to your machine. If there’s any issue, you can pull that patch out.”
Paul goes on to explain that updating technology works a bit differently in a clinical setting.
“In a clinical setting where you are affecting patient care, you do not ever want to risk changing that piece of equipment if it is currently working. So, we don’t patch endpoints in clinical settings. There’s a different process that we follow. And that process includes what has been approved by the manufacturer. That process is generally multiple years behind. Now what you’re seeing in the industry are pieces of equipment that have been working perfectly for years with minimal interruptions. But guess what? Software levels and patch levels are so out of date that it literally scares traditional IT departments. My role as the go-between is to put in mitigating controls around clinical equipment because we can’t treat it as standard IT equipment and endpoints.”
Paul’s biggest on-the-job challenge is dealing with obsolescence in thinking processes. Equipment that works well for MRI systems can still be at risk for a cyber attack. He also has to think about how to protect mobile devices as our world becomes more wireless.
Paul recognizes that there is a gap between new processes and old technologies.
“The thing about medical equipment is when something is released, the technology produced is so much farther ahead than anything that’s out there in the marketplace; whether it’s a new way of doing scanning, monitoring bodily systems, or detecting disease. That technology is so new that when we roll it out, it’s simply amazing. However, the legacy IT systems it connects to are somewhat antiquated in their application and processes. It is imperative we protect our old legacy systems. At the same time, we must integrate current IT infrastructure with this newer technology. This problem is what clinical environments are really facing.”
Here’s what Paul had to say about whether or not the pandemic has changed the way he thinks about work.
“I think the pandemic has changed our approach to how we work with technology because now management is forced to address the human aspect of it. Can we solve the same problems with fewer people because you never know when you’re going to have those resources become unavailable? You can have a team of five people working on a project, supporting a system, or upgrading a system. And at any moment’s notice, that team of five can become a team of one. And that team of one is constantly on the phone or (online) trying to gather information or convey ideas. That has a huge impact on any project.”
Achieving Results with Asimily
“We have run into an issue with medical equipment not responding or misrepresenting themselves on the network. We were able to use Asimily to quickly identify all the machines through its artificial intelligence (AI) and reporting capabilities, we were able to create a topographical map showing where each one of the machines was talking on the network. From there, we were able to rein them in within a week. Without Asimily that undertaking would have taken months to identify and remediate. It would have been a huge undertaking because you would have to physically send an engineer or technician to each location to find that particular machine and log into it physically. I was able to put together a very detailed report for senior management within hours using Asimily which demonstrated the value of the solution”.
When Paul is away from work, in his spare time he is a movie buff. Comedies are his favorite. He loves to travel and is an avid Sci-Fi reader. One of his favorite authors is Stephen R. Donaldson. A fun fact: He was also an amateur bodybuilder when he was younger.
As HDOs are increasingly more susceptible to cyber threats, it’s important that we honor IT professionals like Paul Moore. HDOs are reliant on connected medical IoT devices for patient care and diagnosis. Join us in honoring our cybersecurity heroes today.