Enhancing Procurement Decisions with Special Guest Greg Scott
Host: Jeremy Linden, Senior Director of Product Management, Asimily
Guest: Greg Scott, VP of Information Technology, RENOVO SOLUTIONS
Welcome to the IoT Security Chats podcast where we bring you the latest information in Cyber and IoT Security. From asset and vulnerability Management to Incident Response, hear the experts talk about the latest threats affecting connected devices and how to keep your organization secure.
Greg Scott and Jeremy Linden discuss IoMT procurement challenges and how healthcare organizations include cybersecurity considerations during the procurement process.
- HHS Guidance on Risk Analysis
- TechNation Webinar: Evaluating Cybersecurity Concerns During the Procurement Process
Good morning everybody. My name is Jeremy Linden. I am Senior Director of Product Management here at Asimily and I’m really happy to welcome you to our podcast series. Today, we’re talking about procurement challenges in the healthcare industry and about how healthcare organizations include cybersecurity considerations during the procurement process.
I’m really happy to be joined today by Greg Scott, Vice President of Information Technology at RENOVO Solutions. Greg has over 15 years of healthcare technology management experience. Starting out as a biomedical equipment technician, he specialized in electrophysiology support, radiation oncology systems, video integration, and biomedical device interfacing. Greg has an associate’s degree in biomedical information systems and technology and a bachelor’s degree in computer information technology. Leveraging IT skills, Greg was a key part of early medical device EMR integration projects, event management systems, and patch support. Before joining RENOVO Solutions, Greg helped architect the virtual infrastructure and operations team responsible for hosting and supporting many key clinical systems at a large healthcare organization. In his time with RENOVO, he has worked with technicians and leadership to redefine medical equipment management and reduce risk to patients from cyber security threats nationwide. Welcome, Greg. Very happy to have you.
Thank you. Thanks for having me.
So first let’s start out by kind of setting the stage a little bit. Why should health care providers be considering cybersecurity during the procurement process?
Great question and I think it’s really critical that organizations understand what risk they’re getting before they get into it. What to expect when purchasing new technology so they can manage the risk or prepare for unknown costs to mitigate those risks once they come in. I think often organizations want to trust vendors are using the latest technology and these things are actually gonna solve problems for them. And I’ve seen technology staff that has not been in healthcare for a long time and they’re just blown away by the technology these vendors using or things that [are] brand new but are using an operating system that’s already been outdated for a long time. I think we have to get away from that. There shouldn’t be surprises when we’re purchasing medical equipment. There’s a big push for the latest and greatest from a security standpoint …”we’re trying to get away from XP or go to Windows 10”… and sometimes that isn’t the best path forward really. You think you’re trying to reduce the risk by getting the latest and you don’t know that you may be actually introducing new risk that you weren’t prepared for or haven’t documented yet. I think it’s key that we look at the procurement process, get in front of that and start looking at what’s coming into the organization before it gets there.
Totally agree with that and that brings me to my next question. Understanding all those concerns, a lot of healthcare organizations really are trying to to get ahead of this problem but they’re implementing these kinds of processes in a very manual way. Having human beings review manufacturer disclosure such as the MDS2s and SBOMs and in the end this often just ends up becoming nothing more than just a box checking exercise and really just frustrating all the parties that are involved. How do you think organizations should watch for these kinds of what I would call antipatterns while building out their processes and ensuring that organizations are actually getting actionable insights from what they’re building?
I’ve seen this as well. Organizations they’ll create an intake form or an assessment form or a technology form and that’s how the MDS2 form started. That was really the intent there. Let’s standardize this process so we get the information out there and then now we build on that and there have been revisions. I think ultimately what we end up with is it’s a reaction to the “we didn’t know we were going to get this” or “if only we had new before we bought that this thing ran on Windows XP”. That’s true but I think what the organization really needs to do is decide what they want to do and what are they going to do with the data. Do they have a plan? Or are they just checking the box because you start getting all these forms…well now somebody has to actually analyze it. What does it mean? What does this information mean to the organization? Do we accept the fact that it runs on this particular software or has this particular port open and who’s really equipped to make those decisions? Usually, we need to startGreg Scott: with the goals. Are we going to do more research? Do we push back on the vendors? Does leadership really understand their role in this? A lot of times cybersecurity becomes kind of the villain here because we get these forms and we get this data. There’s no way we can purchase this. But there’s huge clinical pressure to get the new equipment for a procedure or a support issue, or whatever the case may be. And if it is truly a risk for the organization, then leadership has to be able to take the stance that “no, the clinical use is secondary in this case because this could impact a greater part of our organization”. This takes a village to define the goals, define what they’re willing to accept, define what that acceptance criteria is, and then what they’re gonna do with it. So I think all that needs to really be planned out upfront before we just go collecting data and essentially creating more work for people only to find out nothing changed. We bought it anyway or we didn’t do anything with it. So definitely take the time now and start planning out how you want to handle your medical device procurement process.
That brings me to Asimily ProSecure, which is our product for supply chain teams to understand the cybersecurity risk that a new device might actually pose. Using ProSecure, you can look up any device model inversion and you’ll see all the information that we have about how it behaves in the network, what risk it poses, and what the lowest and highest risk configurations that we’ve actually seen are. We crowdsource these data from real world deployments of Asimily in the field ensuring that you’re always getting up-to-date quality information that you can actually use to make a decision. Greg, as our partner, you work with healthcare organizations to operationalize our products, how would you generally recommend that organizations make use of the data provided by Prosecure during the procurement process?
I think it goes back to having that team to be able to look at that data and be able to provide really the decision making information that leadership needs. When it comes down to the technical path, the actual road map is built into the report. By crowdsourcing that data, you can see “this was the worst case scenario”, “this is how we would have bought if we don’t change anything”…to the best case scenario, “here’s what other hospitals are doing”. So having that information creates a technical path and it equips the staff to be able to say, “ look maybe this thing is not the most secure device upfront but we’re confident that we can secure it using these things because we’ve seen others do it”. Without that, you’re just shooting in the dark and you end up a lot of questions for the vendor… “OK, well can we do…this can we do this…?” Asimily has taken out the hard part of that work and I’m really excited to be able to offer this to our customers because now they can come to us with questions like, “hey what do you guys think about this device… this new thing we’re considering”. We can run the reports and we can actually show them what it’s gonna look like in their organization and get in front of some things that they may need to do to make sure it gets implemented securely. We’ve seen great results from this already. We recently worked with the vendor that did an upgrade to the system. We looked at the system ahead of time and we were able to say, “we know this is gonna come in with these ports exposed. By virtue of how we’re gonna use the system, these ports don’t need to be enabled. You, vendor, can you lock these down? Can you turn this off when you do the install?” which reduced the staff labor required. Our HTM staff didn’t need to do anything. The IT staff didn’t need to do anything extra. We took the out-of-the-box configuration and the vendor was able to make it more secure for the organization just by virtue of knowing we can turn these things off. All of those things add up and I think it hugely impacts the efficiency of the department and our ability to secure the equipment. Getting this information in the right hands and the right staff allows them to make the right decisions and allows leadership to drive things where they need to go.
That makes sense. This is an issue that you mentioned earlier around clinical engineering concerns and IT or cybersecurity concerns. What do you think the right way is for healthcare providers to balance those two considerations together as well as other factors during the procurement process? Obviously, you can’t expect IT or cybersecurity risk to always take precedence but also you don’t wanna ignore it either.
Greg Scott: >
This is a key process that goes back to both defining risk for the organization… what they accept… but also understanding the clinical workflow. HTM is in a unique spot where it’s easy for them to work with the clinical staff and understand what the patient implications are. We don’t wanna be in a situation where we’re compromising patient safety due to downtime for patching or interoperability because of some kind of security type control. This is a compromise. Security, in general, is compromised. We’re never gonna be able to fully secure the devices and make it easy to use. I think really the recommendation here is to have your teams work together. You can’t do this in a silo. There’s gotta be a good working relationship between IT security, the clinical staff, and the HTM staff because they all have the same goals. They all want good patient outcomes. There’s just different priorities and focuses depending on where they’re coming from. I think that can be reached. The Proscure data really helps us get there by kind of putting in a technical view for us technical staff. By converting that into the workflow for the clinical staff, we can really hopefully make those compromises and make the right balance between safety and security.
Going back to ProSecure, a lot of customers are leveraging that intelligence during the procurement process we talked about before but we are also seeing other customers using it to make decisions around whether and how to connect standalone devices that aren’t currently online but they have the capability to be. And the hospital is wondering should we leave these offline or should we turn the connected capability on to get some of those benefits that hospitals get from having everything connected and visible in a platform. How do you think healthcare providers should be thinking about those decisions?
I don’t think there’s a single answer. I think it really comes down to what is the healthcare organization trying to achieve with that device. We saw this a lot with the early adoption of interoperability with the big push with EMRs and being involved in that space. I was able to see kind of the negative side. We had equipment that didn’t always play well with interoperability or different middleware because it was never truly designed with that kind of robustness in mind. Before security ever became a consideration, we had actual you know potential events just due to the inner interoperability. When you introduce security, there’s a lot of things that you know they could be placed directly on the network but now you have a huge risk to the organization. I think you have to look at that and say. “is it worth that risk?”. If this one device could be compromised and then take out the organization, now you’ve done a huge disservice. You may have gained a few minutes here on this interface, but maybe you wiped out the organization for a month because of ransomware. That’s a realistic thing that could happen. You need the right information to determine how risky is connecting this. You need the information to say what are we gaining from connecting this. There’s some equipment that’s naturally not secured from a patient data perspective or a data privacy perspective but the gains on the interoperability, the gains on the staffing side are huge whether it comes to timely data or more accurate diagnosis because the information gets into the system faster. Those things are worth the compromise of having an insecure device kind of floating around where patient data may be accessible because you’re saving more than you’re losing there. There is no one-size-fits-all. Each system I think really has to be analyzed one at the time and it’s key to have the right information because you know these are tough decisions to make. Without the right information and without the right people in the room, there you may end up making the wrong decision.
Absolutely. We definitely know that there’s no silver bullet and there’s no one-size-fits-all solution because every organization is unique and their needs are unique. Finally, one aspect of ProSecure that we see our customers getting a lot of value out of is the use of some of the crowdsourced configuration data I was talking about earlier to create hardening guides for these devices on the network. Basically, you know telling them, “OK, here’s how you can configure this to make it the most secure possible”. How do you recommend that healthcare organizations use this to improve their security posture?
I think this creates a great task list for anybody working on securing these devices because without this information I’ve been down this path myself. You have a device. First, you figure out what’s wrong with it. Then, you find out “OK, what can I do to fix these things? And that usually involves either researching a lot of Internet research [and] vendor research [and] trying to get ahold of the right person in engineering and they may not always know the answer or they may not be in a position where they can recommend the right thing. A lot of times we see vendors say, “From a patient safety perspective, this device functions properly. it’s not at risk. we have no recommendation we’re not gonna change our configuration or our posture because of patient safety.” And they’re not looking at the potential threat to the organization from a networking perspective or ransomware or a place that attackers could pivot. So by looking at the crowdsourced information, some of that hardening guides, it cuts through a lot of that time and the effort, the labor and really does all the hard work for us. We can see, “OK, boom here’s what we need to do to harden this device. I don’t need to make phone calls. I don’t need to chase down leads and do research. I can take a look at the information, go to the device, and implement the configuration recommendations. Done. Now, I’ve moved the needle. I’ve reduced the risk of the device.” This is really why we’re here in the first place. Circling back to the beginning, we talked about all this data. We’re in an age of data collecting all this information but what we really need is insights. By looking at these hardening guides, it provides the insights we need to move that needle and ultimately secure these devices.
I think that’s a great note to end on. Greg, thank you for joining us. I hope everyone else found the conversation as informative as I did and if you wanna learn more about a simile you can visit our website or shoot us an e-mail at email@example.com. Thank you and until next time.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.