Strategies to Address the HTM Cybersecurity Staffing Shortage
Welcome to the IoT Security Chats podcast where we bring you the latest information in Cyber and IoT Security. From asset and vulnerability Management to Incident Response, hear the experts talk about the latest threats affecting connected devices and how to keep your organization secure.
Host: Priyanka Upendra, MS, CHTM, AAMIF, Senior Director of Customer Success at Asimily
Experts: Shankar Somasundaram, Founder & CEO, Asimily; Jim Cheek, FACHE, Division President of Healthcare Technology Solutions, Crothall Healthcare; and Eddie Myers, HCISPP, CBET, Director of Cybersecurity Healthcare Technology Solutions, Crothall Healthcare.
Discussion Topics include:
- The need for HTM cybersecurity managed services
- Aligning strategically and operationally to manage cyber risks of IoMT/patient-facing assets
- How can HDOs (Healthcare Delivery Organizations) ensure they are getting the most out of their vendor / managed services provider?
Good morning, everyone. I’m Priya. I’m the Head of Customer Success here at Asimily. And it’s great to be back hosting the Asimily podcast today. First things first, wish you all a very happy Healthcare Technology Management week. This is the week to recognize and appreciate the HTM professionals in your organizations for the important role they play in facilitating safe patient care delivery. So do take the opportunity to appreciate them make note of what they do, and the value they bring in your organization. Today’s podcast has vein three familiar experts in cybersecurity and healthcare technology management. We have Crothall as well as Asimily. And our focus today is going to be on cybersecurity program development, risk remediation activities, and getting the most value for your engagements with the vendor and your managed services provider. With that, a few introductions here. We have Shankar who is the CEO and founder of Asimily. And in this role, Shanker drives the overall vision, strategy, and core technology for the company. Prior to this role, Shankar started and ran the IoT business at Symantec. He holds over 60 granted patents, including a recent one on Vulnerability Management for connected devices. And thank you, Shankar, for being here.
We have Jim who’s the President of Crothall. He’s been in the healthcare managed services area for more than 30 years. He began his career with ServiceMaster leading several healthcare hospital-based management programs. And he is a dynamic leader that focuses on the client’s needs. He came to Crothall Healthcare Technology Solutions in April of 2016. And he brings extensive experience and a proven track record of growth, client retention and people development. Thank you, Jim.
We have Eddie. Eddie and I work very closely. He is the Director of Cybersecurity at Crothall Healthcare Technology Solutions. He’s been in the industry for many years and over 12 years, working in healthcare information, technologies, PACs (Picture, Archiving and Communication Systems), and HTM. Eddie leads the cybersecurity program at Crothall. And he provides project management, IT consulting, technical support, and security management services to the Crothall clinical field service operations. With that, let’s get started here.
Clinical device cybersecurity risk management is complex. It’s tedious and comes with numerous challenges on all three fronts, people processes and technologies. And to overcome these challenges and the unique challenges. We need to build a successful program that is proactive in nature, achieves risk reduction measures, and has a strong collaborative front. So what you need is you need a robust technology like Asimily, you need the right kind of people and skill sets like what you have from Crothall. And you need strategy and tactics that align with each other which you really get from a joint solution and services of Crothall and Asimily. Along with all of this you need powerful metrics that measure the effectiveness of your people, your process and technology. With that, it’s crucial to discuss all of what we’re going to address in this podcast and to transform the environment of care and ensure that you have a data-driven and an evidence-driven approach to managing the cybersecurity risk and actually achieving risk reduction.
With that, Jim, we have one first question for you. You run the Crothall ISO program, the Independent Service Organization. You have seasoned HTM professionals in your organizations and in the last few years, you’ve addressed an ongoing challenge in the industry which is HTM cybersecurity staffing. What drove you to start this business of MSS (Managed Security Services) within Crothall in this area and can you tell us more about the needs from the HDO side, that is actually driving this?
Well, thank you, Priyanka. And thank you all for having Eddie and I today. As our organization has grown a lot and is more reflective of customer needs. The reason we got into more into CIT training and understanding is because our customers and the market said, ‘more and more devices are connected, you’re working on those devices, and we need a clear line of sight for cybersecurity’. We are much more today than just a break/fix organization. And as more and more medical devices have become connected to the network and risk associated with that has increased. Back in 2017, we initiated a CIT training program that really made it a priority for our technicians and our engineers to get that training. And later, we started a certification program. We also created a national support structure, which Eddie leads, so that those problems could be escalated beyond those resources onsite. Now, here we are five years later, and the need is even greater. I think Beckers today just shared that there’s an average of 1400 cybersecurity, breaches every week in healthcare. The need is just increasing. So we want to do more than just interface with it. We want to be part of the solution and through our managed to cyber service and our relationship with Asimily where we’re using this technology to bridge that gap between where traditional clinical engineering responsibility ends and where facility IT responsibility begins – using that relationship and the technology, having standards and processes in place, it’s allowed us to improve patient safety, minimize risk, and meet our customers needs.
Thank you, Jim.
Eddie in your role as a cybersecurity leader and practitioner, along with what Jim said, can you describe some challenges that you’re seeing with the evolution of cyber risk and with HTM primarily, managing maintenance and repair. Do you see this landscape trending more and more towards the cyber projects?
Yes, absolutely. As an ISO, we do have challenges. One of our major ones is engaging OEMs around cybersecurity. For instance, one of the big ones that I won’t name here won’t even talk, cybersecurity or patches or mitigating steps unless we have a PO in hand for him. But then again, on the flip side, there are some OEMs that are wonderful to work with that answer all our questions give us the documentation that we need. Some even give us logins to their security portals and that really helps my team respond quickly, we’re able to log in and look for patches and MDS2s, and what have you. So there’s a wide variety out there. And as our clients cybersecurity footprint grows and they’re connecting more and more devices, having those boots on the ground is key. The local Crothall resources aren’t only doing break/fix and PMs [Preventive Maintenance], they’re now having to respond to cybersecurity incidents. And that’s where my team comes in. We do a lot of the heavy lifting the research, so that when we do reach out to him, it minimally impacts their day to day operations. We’re also working on building cybersecurity into PM schedules. Some devices out there can have Windows patches installed the day they come out. So starting to build those into the PMs is really helping. And the second part to your question, yes, the landscape is changing. We’re no longer hearing from our clients and potential clients that there’s not a budget for medical device cybersecurity. In RFPs cybersecurity is now one of the determining factors. And so it really, really is shifting and, another project that we help our clients with is identifying where on the network medical devices are, what VLANs there are, so that we can help move them to a more secure VLAN where it’s just medical devices. A CT and MR don’t need to be on the same network as a nurse computer. So really helping them around those projects.
Thank you. As you can see, there’s a lot of data in Asimily that will facilitate these conversations and make that more evidence approach. Thank you for sharing that.
Shankar, you started Asimily, because you recognize the real need and the industry. And you’ve seen the industry adopt in this space so rapidly over the years. What is your advice to health systems that are struggling to collaborate internally with different stakeholders, as well as like Eddie mentioned, externally with vendors and also managed service providers?
Yeah, I think when it comes to health systems, the first thing is that whether you’re on the HTM side or whether you’re on the cyber side, you have to understand that everybody in the ecosystem is there to support and make sure there is patient care available when needed as needed. And I think the final goal is the same for everybody. And I think people sometimes forget, and they think that the cyber is only interested in securing and mitigating vulnerabilities, whereas they don’t understand the final objective or goal or why they are there. And I think we have to understand that everybody is in there with one particular aim of helping the patient.
But more specifically, I think the two things that are going to be required that HDOs should do are… The first thing is they have to map out the set of capabilities that each of these groups have. So for example, cyber have a set of capabilities that they bring to bear to the entire managed service [and] to the entire service of the organization. HTM has a set of capabilities that they have around medical devices that they bring value. And the MSS players like Crothall they bring value in a particular manner. They see across systems. They see across customers, and they have an understanding that is unique to the organization. So the first step is mapping out who brings what to the table is important because when you understand who has what kind of specialization in that on the table, then you can effectively divide the responsibilities appropriately.
The second thing is you have to map out the journey or the flows for each of the areas. So for example, there are four or five different areas that you’re going to look atou. Y’re going to look at the inventory visibility side. You’re going to look at it from a Vulnerability Management side. You’re going to look at it from an Incident Response and Anomaly Detection side. You’re going to look at it from a Disaster Recovery or Recovery in case of an incident. And so for each of them, you have to map out the journey and figure out: where does HTM sit, where does cyber sit, and where does an MSS sit like Crothall. So for example, for Vulnerability Management. If I map it out, most people think of it and say Vulnerability Management is a cyber problem. But cyber would say I can’t do anything about medical devices. And Crothall would need support from the Networking team to take certain action. So nobody really knows who’s doing what. Whereas the right way to do it is to map out every step in the Vulnerability Management journey. You start off with saying, ‘who’s really mapping out the vulnerabilities to the devices’. That’s step one. And so a solution like Asimily would do that as part of the environment. But cyber and the MSS provider would effectively be responsible for that.
Step two, who’s really going to determine whether the vulnerabilities can be taken advantage of in the network. Step three, who’s going to help prioritize and determine and help with the prioritization. Step four, who’s going to do the mitigation. And within mitigation, there are many different steps. There is the segmentation that Eddie mentioned where you’re breaking out devices into different groups [and] there is the ability to just block the part of the attacker based on recommendations that Asimily provides that does not require micro segmentation or patching. And then there is an absolute patch. And the entity who does each of them is very different. So that’s one example where you map out the flows and there’s more to it. But that is one example where you map out the different stages of each of these aspects like Vulnerability Management, figure out whose skill set best suits that particular part in the journey and look allocate that piece to them. And then when you actually do that, you have a very strong, collaborative environment where everybody knows what their role is going to be. The MSS provider knows what they have to do and what they have to deliver. HTM knows what they need to do and cyber knows what they need to do. And I think that creates a far more collaborative environment where you have clearly mapped out roles and responsibilities based on flows.
Thank you, Shankar. If I actually visualize what you just said, you’re basically talking about the RACI Matrix where the organization recognizes the different roles and responsibilities for every stakeholder that’s necessary in this ecosystem, lists out all of the activities across the important components of a robust cyber program, and then assigns those activities to each of those stakeholders. Thank you for that.
That actually brings me to my next point to you, Eddie. You’re doing a lot of this, frankly, with your Managed Services program. What have been some of those focus areas for your team in particular, that where you’re ramping up the cybersecurity risk management with your customers?
Absolutely. Cyber Hub is our full program that we bring to our clients that we implement. This includes the installation of Asimily and then the administration and the managed service sides of it. Whenever we roll this out to a client, inventory matching is key. Clients can have 10 to 15 of the same Ultrasounds or EKG parts. So identifying exactly which one we need to focus on is key because in the event of a vulnerability or hacking incident, speed is of the essence. And knowing exactly what you need to address has to be paramount. With that said, that is a very time consuming process. Some of our clients have 700 connected medical devices. Some have well over 20,000 connected medical devices. So it is a very time consuming effort.
As we work through that, we have been moving into the high-impact high likelihood devices. And this is what sets Asimily apart. As you do your Threat Analysis, you categorize them into different categories. And so by focusing on the high-impact, high-likelihood, it gives us a definitive starting point of where we can make the most impact for our client. And then again, I was talking about the local Crothall resources being boots on the ground and having various other job duties. Again, that’s where my team comes into play. We go through the Asimily portal. We look at the patches that need to be applied [and] the other mitigating steps that Asimily recommends. We then reach out to those vendors. We verify if that patch has been validated by them. We verify that a step can be taken on that device or a port can be closed, and it won’t impact patient care. And so from there, we put together the plan of action for the local Crothall resource of what needs to be done. We detail it out. We schedule time with them and] walk them through everything. And then they are the ones that go to the device. They’re the ones that schedule the downtime. They take those mitigating steps. They apply those patches to that device, and they are the device expert. They’re in front of the device and they validate that it is safe to bring back into patient care,. They turn it back over to the department head. And then most importantly, they document everything that has been done on that device in our CMMS, which is the one source of truth of every action that’s been taken on that device. So having that record in the CMMS is key for success.
Thank you, Eddie. This was a great set of operational tactics that you aligned. And that aligns again with the strategy that Shankar and Jim mentioned.
So Jim, extending into this topic, you have a combination of strategy and tactics that are necessary to drive that governance and to drive those actionable results in health systems in this topic. How can we as vendors create champions who can better articulate the outcomes, as well as articulate the value that they’re getting out of managed service providers as well as the solutions?
I think just having simple conversations with your customers. I think as industry leaders, we need to first recognize the risk. I’m glad to hear Eddie talk about the fact that money doesn’t seem to be an issue like it was five years ago when you’re talking about a cybersecurity solution. I think finding a strategic partner like Crothall and Asimily to deliver proven ways to create a more secure environment and using [their] technology. We have incredible insight into our clients medical devices. So that if any device is vulnerable, we can quickly work to deploy mitigating measures including environment and device-specific recommendations for every device in that inventory and eliminate risk even if no patches available to us at the time.
I think, second, is to continue to improve your people. So train and improve the skill levels of not only your frontline biomed and imaging technicians but all employees because of it’s typically the simple things that also open the doors for cyber threat. We started with that baseline IT training about five years ago and it’s returned huge dividends where today we have a Security Operation Center and can quickly pick up the phone and have a broader conversation with the people in the folks on the field to triage and remediate vulnerabilities, and again, using the technology that Asimily has put into our facilities. I think lastly, it really is kind of the simple things. So while the security team that’s doing their thing, their job is to focus on the technology side of things, but, again, human error and ignorance about passwords and devices left unattended. Those sometimes happen at workplace cultures that don’t encourage employees to do the right thing when they’re managing the devices inside. And that’s not just medical devices, but all devices. I think it’s more important in the context of our current cybersecurity world that we do those things.
Thank you, Jim. And I think what you just mentioned about simplification… one of the acronyms have followed throughout my tenure in the industry is ‘Keep It Simple Silly’. When you look at the solution and the services provided, that’s literally what we do. We’re taking that overloaded information on vulnerabilities and risk [and] we’re simplifying it with all of the technical layers of analysis that Asimily is adding with prioritizing the likelihood, the impacts, and then all of the risks scores. And then, Eddie, with your team actually consolidating the data with the asset management, adding additional layers of prioritization, you’re giving that holistic picture to the end-user or the health system customer. And now they’re better enabled to articulate that information and the value-adds from this engagement. So thank you for that.
Shankar, summarizing everything that we have discussed so far. You’ve been in this space, you’ve built programs, you’ve run successful programs, as well as built dynamic technologies. We’ve talked about aligning strategically, as well as tactically, and not necessarily trending towards the collaborative efforts. Any other two or three insights that you can provide to health systems to achieve and ensure that long term success?
I think it’s a good question. I would say a couple of things health systems can do. The first thing is on a strategic level, health systems should think about not just where they are today, but where is it that they want their program to go? When I asked the health system, ‘where is it that you want your program to go in the next year or two years’, most health systems haven’t even thought about that. They don’t know what that even means to them. And they are like picking solutions. and they are picking vendors with no idea of whether this will this vendor or this partner will scale up as they try to improve our program. So like I mentioned, you start with collecting devices on the network, then you have to match it to the CMMS. And there is the Vulnerability Management piece that we spoke about. And then there is this entire Incident Response piece. And so when you look at the different elements that you have to do over the next two years or three years, you need a partner or you need partners who can effectively scale up with you and you can provide the value across the range of things you’re looking at. And that’s what Crothall and Asimily together we try to do. And look, we may not always be the right fit for every organization but if the organization asked the question, ‘What is it that I want to achieve in my three-year program’ they can better evaluate whether a partner is going to fit into that scheme that they want to be in as well. So that’s on a strategic level I think that’s a very key question to ask.
On a tactical level, I think you got to understand it from an efficiency perspective as well. One of the things we pride ourselves on at Asimily is bringing efficiency into the organizations we work with –helping them do their work faster and more efficiently. Everybody provides some amount of data. I think data is not the issue here. The question is how do you actually minimize the work that they have to do? How do you actually make sure that they can actually reduce your risk more efficiently? How do you get their inventory more efficiently? The efficiency that you bring into the organization is what the organization truly has to look at. And so on a tactical level, when there is a limited time where the number of threats are increasing and the threat surface is also increasing at the same time, efficiency and being able to do things faster and better is what organizations should also look at which many organizations completely ignore. They look at just how much data they’re getting. And that’s something at least Crtohall and Asimily together. We pride ourselves at. So I would say from a strategic and tactical perspective, there are areas that they need to look at both from a long-term horizon and efficiency, which will definitely make the program better and help them make the right decisions.
Great point, Shankar. To reiterate that Crothall and my team, the [Asimily] Customer Success team, we work closely [together]. We are doing regular cadences that help ramp up on those tactics. We do Quarterly Business Reviews that help measure how well those tactics are working out. And then we’re doing Executive Business Reviews where we can connect with the executives at these health systems to understand where their programs are at strategically, what their vision is, and how that aligns with the product roadmap and the service roadmap as well. So I think those are some great points. So thank you for addressing that.
All in all, a great discussion team. Jim, thank you. Eddi and Shankar, thanks for joining us today. I really appreciate your thought leadership and I look forward to the continued success and collaboration we achieve [together through the] Crothall Asimily partnership. And again, thanks for all of the insights you’ve shared and for our HTM as well as cybersecurity listeners. With that, have a great day and we’ll see you soon.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.