Integrating Cybersecurity Risk Assessments in Capital Planning
Welcome to the IoT Security Chats podcast where we bring you the latest information in Cyber and IoT Security. From asset and vulnerability Management to Incident Response, hear the experts talk about the latest threats affecting connected devices and how to keep your organization secure.
Carol Davis-Smith and Priyanka Upendra discuss integrating medical device cybersecurity risks and cybersecurity information in capital planning, its complexity, and reassessing replacement planning and new purchase decisions based on the impact of cybersecurity risks and risk reduction measures.
- AAMI’s Acquisition Guide for Clinical Technology Equipment by Carol Davis Smith
- Forbes Blog Cybersecurity & Data Protection in Healthcare
- Health Industry Publishes Model Contract Language for Medical Technology Cybersecurity
- Adopting FDA’s medical device cybersecurity draft to minimize security risks at healthcare organizations
Good afternoon, everyone. I’m Priya and I’m the head of Customer Success here at Asimily and it’s great to be back hosting the Asimily podcast today. Today’s discussion is super insightful and aligns with the topic that I have personally fought tooth and nail on in my prior roles at health systems. And we have my mentor and someone I respect a lot. The Super talented and fabulous guest speaker today, Carol Davis-Smith. She’s a sought-after expert and thought leader in the healthcare technology management space. A little bit about Carol.
She’s been in the development and maintenance of safe, reliable, cost-effective, and efficient patient care delivery systems through technology and process management. She has 30 years of experience in academic and not-for-profit medical centers, group purchasing, consulting, and executive leadership roles. Through collaborative leadership and technical engagement, she continues to build successful teams across all aspects of the medical device lifecycle. In addition to her private consulting work, Carol serves as the Director of the University of Connecticut Clinical Engineering Internship Program within the university’s Biomedical Engineering program. As the vice president of Clinical Technology for Kaiser Permanente, Carol developed and implemented corporate strategies and initiatives related to the clinical technology lifecycle. Prior to Kaiser [Permanente], she was responsible for the development, marketing, and delivery of clinical capital lifecycle consulting services for Premier. She also served as the vice chair of clinical engineering for the Association for the Advancement of Medical Instrumentation (AAMI) Board of Directors and is a former (founding) member of the AAMI Technology Management Council. Additionally, she is a member of the American College of Clinical Engineering (ACCE) and a former member of the United States Board of Examiners for Clinical Engineering Certification. Carol holds a Master of Science degree in electrical and computer engineering from the University of Arizona with a specialization in Clinical Engineering and a Bachelor of Science in Bioengineering technology from the University of Dayton. She is a certified clinical engineer and a Fellow in the American College of Clinical Engineering (FACCE) and the Association for the Advancement of Medical Instrumentation (AAMIF). With that, Carol, thank you for being with us today again and I really appreciate you sharing your insights on this much-needed topic. So medical device planning, its such a complex task and replacement planning decisions are just so challenging not just for clinical engineering/healthcare technology management, but also other stakeholders in the healthcare ecosystem. Now with the increase in cybersecurity risk, integrating medical device cybersecurity and other cyber security information in capital planning is very complex. It also aids assessing replacement planning and also facilitating new purchase decisions based on the impact of the cyber security risks. Also different risk reduction measures that must be implemented prior to deploying a medical device can add complexity to this decision-making process. One of the things we’ve done here at Asimily is effectively showcasing vulnerabilities, anomalies, utilization data, risk and impact scoring, all of which really transforms the capital planning process and makes it an evidence-based and a data-driven approach. When this cyber security information is integrated within the asset management system, the capital planning process or the replacement planning process really becomes a seamless offering, and along with that you have a robust mechanism to offer accurate baseline of spend and spend strategies to different stakeholders in the healthcare system. So Carol, you have developed and implemented trailblazing methods for effective capital planning in our industry and you’ve advocated for these with the C-Suite. So how do you see health systems adopting this information to influence their capital decisions?
Yeah, that’s a great question, Priya. And as you mentioned, it’s been really a cornerstone of my career over the last 30 years. Thank you so much for those kind words in the introduction. I think it’s really sort of a two-edged sword in that for decades I’ve been advocating a very quantitative, very objective data-driven approach to forecasting technology needs, capital or otherwise, fleet management, all these all of our medical devices, the planning and procurement benefit from a more data-driven approach. What’s unfortunate is that I have not seen, over the years, very good use of that. We, as the healthcare community not just in healthcare technology management or IT or cyber but just in general, continue to be a very subjective sort of who stomps their feet the loudest. Who can make the nicest PowerPoint presentation, it’s unfortunately still rampant, if you will, in our industry. There is a movement, though and perhaps a silver lining coming out of the pandemic, is a realization that for health systems to remain viable they have to be more data-driven and their capital equipment certainly became front and center to them for their planning efforts. One – just to survive during the pandemic and now recognizing that this is our new normal. Dealing with the unknown and the unknown that comes out is very, very quickly. So with that said, I think the data that’s available from the cyber security monitoring and assessment tools is incredibly valuable. Will it streamline? Will it dynamically and significantly change how capital planning and technology forecasting is done? I hope so. I hope it’s maybe that needle that pushes us over the edge. We will use that plus all of the other data that we have available to us in our maintenance management systems and our IT service delivery systems and our supply chain systems. There is lots of data we should be using. Certainly, we should be incorporating this cyber data. Unfortunately, there still seems to be a gap. Our IT colleagues have lots of this information. Some of our HTM colleagues have some of this information. I think we’re working hard and fast on building the relationships between the two groups to best figure out where that data can and should reside and how to share it. I think we’re finally past that point if I have to own it and we end up with these duplicate databases that are never right because they’re not really redundant. They are operating in silos. I think we’re moving past that, thankfully to an environment of figuring out how best to share this information. I think the thing we have to be careful of is just like any other piece of data, it is a piece of data. Have we turned the data into information? Do we know what that data actually means? And do we know what that cyber data and information means relative to both our financial world and our clinical world? Because we need to remember, we are in the business of delivering health care. We’re not in banking. We’re not an IT company. We are not medical device companies. We deliver care and so these are tools that support care delivery. So to say that a cyber piece of data or information trumps everything else is really not probably a smart approach anymore than saying any other piece of data is the one that’s going to trump everything else. It takes a lot of sophistication and the ability to look at multivariate multivariate and multi-criteria decision-making techniques. So I’m pleased though I think that cyber security is really pushing us to take that approach. And so from that standpoint, I’m thrilled that Asimily and others in this space are bringing the data forward and saying use it and encouraging customers to use this data in a very proactive way.
From my perspective, for several decades we’ve seen capital planning decisions really being dictated from a clinical standpoint whether it’s you know clinical user preference or the need for different clinical applications. But now with cyber security solutions and especially Asimily, you have a lot of operational data, not just cyber security risk but also how effectively are these devices being used. One personal experience with that, amidst COVID we had to do a lot of new purchases as well as redistribution of assets. Operational data, that is utilization data, really facilitated that.
So how receptive can other stakeholders be to using this kind of operational data from cyber solutions to really streamline the capital planning decisions?
I’m not really sure what will ever streamline these decisions because they are very complex, but will they? I think this data makes it easier to have a very informed, well-thought-out, strategic decision. The idea of utilization has sort of been in that Holy Grail, next frontier, whatever analogy you want to use for decades. What I do like coming out of these cyber tools is a greater ability to capture utilization. Now in some cases, it appears to still be, I’ll call it relative. Much like RTLS, is it on the network? Physically, where is it located? That gives us a relative sense of… if it’s in a storage room, clearly it’s not being used. If it’s in a care delivery space, patient arm procedure around whatnot, then there’s a higher probability that it’s actually in use or is about to be used or was just used or. So the correlation is a little better. But as I see these tools mature, in particular on the cyber side, and a little bit on the RTLS [side], but definitely more on the cyber tool side, the ability to know if the device is actually doing something because we’re looking at traffic on live traffic on the network that very real utilization dated then helps us balance and know better… are these devices that are being used frequently in critical situations based on the location, because it may be something that we don’t use very often, but it’s critical that we know when it’s being used and how much it’s being used. So I think that’s a huge value-add to the process to make better capital planning decisions. And to really debunk the preferences because as you mentioned historically it’s been a lot of what I call subjective data in air quotes, opinions and biases and this is getting us more into that real data. Somebody says it’s used a lot, now we have a data source to tell us what a lot mean.
Statistically, you’re looking at medical devices accounting for roughly 25-28% of capital expenditures and what I see organizations not doing with all of this data-driven approach is holding vendors accountable. Now with cyber security information and with operational information, whether it’s cyber security or your asset management, you’re getting massive amounts of information on device performance which is different events, incidents, or even the vendor-provided services. How do you see cyber risk information influencing vendor reviews for financial savings and service level agreements? That’s something that we haven’t really done using a data-driven approach.
Right. And as you know, this is not a new problem, this product performance. Whether it’s the product or the vendor supplier themselves, their performance, this is something that we in the healthcare community. The HTM community has not been really good about managing to date. I think what cybersecurity brings to the table is, we’ve been hitting the pocketbook, right? If we don’t manage this, it becomes not only an operational risk to delivering care, which first and foremost just makes me crazy, but financially we get hit with fines. And we are hit with brand impairment, right? I mean, as consumers, we want to go to places that are not only safe. In the operating room, but they’re going to protect my data. So there’s a brand implication. I think it elevates cyber data, especially in senior management, the knowledge that we can, if we use this information, if we use this data and information, we can mitigate our risk. We can not control our future, and certainly influence our future in a very positive way. And so that plus all the other data things that we’ve talked about now maybe getting escalated. At the end of the day, we actually have to manage, we have to have things like business review meetings, regular quarterly, semiannual, whatever it might be and having those conversations with our suppliers about their products and their services and making sure that we’ve built into our contractual agreements expectations quite frankly on both sides. I think as healthcare, one of the things I did and one of my prior lives was, how does my health system communicate to my potential vendors and my existing vendors what does my ecosystem looks like? They cannot promise that their product or service will function seamlessly and reliably if they don’t know the environment that it’s being placed within. And so as healthcare HTM leaders and leaders, we need to make sure that we’re having that conversation. Are we building and maintaining an environment? That’s conducive to these products and services. And if not, do we partner and adapt on both sides, us and the suppliers, or do we have to look for a different supplier? At the end of the day, we’ve got to regulate this thing again in air quotes with our pocketbooks, with our checkbooks. Buy products that are compatible with the environment, not things that we think should be or we’d like them to be. We need to have better, more strategic conversations upfront.
Excellent. The takeaway for health systems to really move from a reactive space to a proactive space with managing clinical technology and also ensuring continuity of care operations and care delivery operations is, it’s important to not only look at what products you’re buying but also what are the services you’re getting from the vendor like standard services. Are they supporting you through your events and incidents or what sort of backup do you have to ensure the continuity of operations?
That brings me to my next point and this is again an area that I have struggled with as well and had a lot of success using Asimily and I’m going to get specific with Asimily there. Various health systems are struggling even today to obtain relevant cyber security documents, whether it’s a network architecture or MDS2 form or even just as simple as a firewall fact sheet if you will. And because of that, they bring in devices but they don’t know how those devices fit into the infrastructure. And then to add to that, you have a lot of time delays and the lack of accountability in obtaining those different documents necessary to assess risk. The majority of the health systems avoid that time delay and any impact to clinical care, so they are continuing with purchases and retroactively doing these risk assessments. One of the benefits we’ve had with Asimily for our customers is called ProSecure, which is proactively doing risk assessments or pre-procurement risk assessments. That’s been a game-changer. Regardless of whether the health system obtains these documents or not, you have a lot of information already available in the solution, whether it’s an MDS2 or looking at what are the exploitable vulnerabilities. How can you simulate risk? Now these risk assessments can not only help you move into that proactive space with managing the cyber risk as well as operational risk, but also help health systems enforce cyber security standards more effectively with vendors. Do you think that is a direction health systems can take and how can they better enforce, you know, internal cyber standards with vendors and also get better responsiveness. .
That’s fascinating actually, Priya, and I think this is a real area of struggle for health systems. One, I think it is awesome that you guys are providing that level of detail and insight to the data and information. It sounds like a collaborative sort of thing because you’ve got access visibility to other clients and other experiences, not just what maybe I have at my health system. And I hear the same thing for CMMS suppliers with their data set. We have all this experience because we have these clients. I think the big stumbling block for health systems is having somebody inside the health system that has the skill set and visibility to do something with this data?, I think that’s where the challenge is…is that we and a little commercial if you will for a clinical engineer, I think we need a clinical engineer-like person in the health system that lives in the traditional clinical engineering world, which is the technical world and not just HTM, but that’s IT and all of those others, the facilities and whatnot, but also acts in the clinical in the financial business world who understands where to get this data and how to use it. I think the value is there, but it’s latent…it just has potential…. until we have somebody inside the health system that can actually grab hold of it and use it and analyze it and interpret it for the health system to then turn that potential into action. So I applaud the fact that Asimily is providing this to customers. I think that’s awesome. I think we need to figure out how we get health systems to employ people in their health system on their teams that then can analyze, interpret and understand the data and can turn it into action. I think that is.
I think we need another hour to talk about blended expertise and how staffing challenges are to that end. And one experience I had with one of the health systems is they actually got a security white paper for infusion pumps and the health system basically consumed that information and said hey everything looks great, we’re good to go through the risk assessments. And then they actually look at our risk assessment, which is based on what we see from the network traffic, what information we have crowdsourced different threat Intel sources, and then we realize, hey, the security white paper you got from the manufacturer is for a different version of the pumps than what you actually have in your environment. So you have let’s say you know version 12.1, you’re receiving a paper for 12.7 and there are different clinical capabilities between the two as well. So there’s clearly where I see you know solutions having that data-driven approach to enforce that accountability as well as make I mean have all the checks and balances with what you have in your environment, your existing inventory, as well as what you’re bringing in. It was just a really comical scenario because the health system had to go back and remind the manufacturer like, hey, this is what you sold us. Let’s go back five years ago and find ourselves and see what happened.
Right, right. And that’s just such a painful but good example of where health systems have lots of data available to them, but they don’t have the decoder ring. The decoder ring being a professional who can interpret the data and the information and say does this apply or not right. I mean it looks good. It looks impressive. I don’t know what it says but I don’t know what it means. That’s a tool that I think health systems, especially health system executives, do not know what they do not know. And so that’s just a painful example. But you and I both know that having been, you know, the only clinical engineer in a health system, there are only so many projects we can work on at any given time. Having that expertise available is….both of us have seen examples where that scenario would never have gotten that far down the road because we would have read this White Paper and said, well, this is wonderful, but it’s not what we’re getting from you. It’s not what we’ve asked you for.
That speaks volumes about the need to have healthcare technology management and IT getting a seat at that table with capital planning.
Yes. And seats next to each other and come walking into the room together because they’ve already been talking outside the room as a team in terms of what’s our environment, what can we support, what can we not support, why, how do we meet and what does that all mean in the context of delivering care since that’s our core business. I think it’s not just having those two seats at the table, but those seats are next to each other and those two are like hand in hand, step in step with each other to really support the organization. I think we’re moving there. I’m seeing that more often. It’s just making sure those two teams understand that they need sort of this piece in the middle that can do a lot of data interpretation and analysis so that the tactical teams can do their job efficiently both in time and dollars and senior management can make good, well-informed strategic decision so we’re not just tactically running around sort of play a whack a mole when we go doing something that’s much more effective. What is that? Work smarter, not harder.
I recently read this blog where a CMMS vendor emphasized or for those who don’t know, CMMS stands for computerized maintenance management system. It’s an asset management system that is more used in the facilities of fleet management as well as healthcare technology management or clinical engineering. This vendor really emphasized that the health systems should identify what vulnerabilities or weak points the attackers will target. And what I’m actually seeing, many vendors and many different solutions in this market, they’re actually showcasing patch updates or manufacturer information but nothing much on actual vulnerabilities that make the device and that health system exploitable or vulnerable. Where I’m going with this is when you know what your weak points are, not just knowing your inventory, but what are the weak points in your inventory that really is a game changer for risk management strategies. So what are your thoughts on getting that specific information where you know the specific weak points so health systems can act upon their high usage and high revenue devices earlier on. That way patient care and care delivery is not impacted. I asked this because you know we’re seeing different attacks going on domestically right now with health systems and a lot of care operations are impacted. It’s causing havoc with different patients and communities. So now knowing not just your inventory, but what are those weak points in the inventory? What are those different threats? What are the vulnerabilities that could be exploitable? That’s just an insane amount of information and perhaps that would help enforce better responses from vendors. So what are your thoughts on that?
Yeah, that’s a tough one because I think it’s a moving target. My first response is a better pre-purchase investigation. So again not just, I mean certainly we’ve got to be narrowing the look at what are the products that do the clinical function that we need accomplished, but then really digging into not just is it on the network or not. What protocols does it use or not? But I think back to some good old fashioned Clinical Engineering of understanding how the device works, and really digging in and understanding the design. And not in a way that’s competitively threatening to vendors and there’s nondisclosures. These are things that we should have been doing long before cybersecurity became an issue. We do not, generally, truly understand how devices work from a technical and from an engineering perspective. So that’s one thing I think we need to do a better job of. But I’ll say again, these vulnerabilities today are moving targets. I’ll go back to the relationship that is getting better, it’s getting much better between HTM and IT because there are multiple parts here. Here’s how the device works. What’s the engineering and the design behind the device? How is the network architected? What’s the environment that we’ve created at the health system that these two have to be able to play it? Again, this is a systems-of-systems challenge. It may not be a vulnerability on the medical device per se. It may be a vulnerability of the choices we’ve made in terms of how we architect and implement our network and only IT structures and our data structures and all those sorts of things on our side. So I think it’s this understanding that it’s not them, it’s us. It’s all of us in this system of systems which again means we probably need some additional skill sets on the health care delivery side, to be able to mesh IT expertise and better practices with care delivery. In my mind, Ill the way back to the old days, a very simple network or even let’s just not even say networks, let’s just talk about power systems. We as clinical engineers and other HTM professionals had to work with our facilities colleagues to say when the power goes out, how do we keep the ventilators running? How do we keep the light on in the OR so that we can stitch the patient closed. It’s essentially the same thing. If our network is compromised, how do we keep the direct patient care moving forward? Is it optimal? No, of course not. Neither was it when we had to worry about operating the emergency generator. It was suboptimal, but we had a plan and we had the little red outlets so your ventilator was plugged into that one and not the white one. I think we ought to continue thinking about these principles and apply them in a very similar way to say…our health system cannot be brought to its knees because our EMR goes down. That’s horrible. Don’t get me wrong. That’s horrible. But it should not mean that the ventilators stop and the lights go out in the OR and we cannot take care of patients. Yes, it’s harder. Yes, it’s like the old days, but we can keep our patients safe. We can keep our staff safe and I think it’s so it goes back to not us and them. It’s really looking at these as system-of-system designs and understanding the engineering in each of these and not just taking the simplest answer. I’ve had both HTM professionals and IT professionals say, “but that’s harder for me.” Guess what? That’s our job. At the end of the day, we need to make sure that care delivery is as streamlined as possible. If it means a little more effort on our part, and especially if it means extra effort on our part up front, it probably means less effort on our part in the end, because we have a plan and we’ve designed a system-of-systems. It doesn’t bring all organization to its knees.
I mean it’s no longer about the physical environment of care. It’s all interconnected. You definitely need a collaborative approach whether it’s procurement, continuous operations, maintenance, or decommissioning devices or just everything on that spectrum.
Carol, this has been so insightful and October is Cybersecurity Awareness Month and we often talk about phishing campaigns, having multi factor authentication, talking about password protection, all of that good stuff, but you know, talking about effective capital planning, adopting evidence-based approaches is critical. This is new information not just for the HTM community looking for that blended expertise, but also for the IT and cyber security community. So thank you for being here with us with Asimily and sharing all of this information that really allows different stakeholders to better utilize you know solutions like Asimily and effectively plan equipment purchases and capital spend. In fact, I’m actually seeing an increasing trend where IT leaders and Cyber leaders are getting involved with medical device planning. And that’s just fabulous what’s happening. And you’re a thought leader in this field and you’ve driven all of these processes. We really appreciate your leadership and look forward to our continued collaboration.Carol Davis-Smith:
That sounds great. And thank you for promoting such a proactive perspective on the topic.
Thank you. So listeners if you have questions or would like to learn about what Asimily has to offer, dont hesitate to contact us at email@example.com. Until then, take care and stay safe.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.