Integrate IT with medical device management
More medical devices are becoming network enabled and joining the Internet of Things (IoT). However, along with the numerous benefits, connected devices are also associated with increased risk in the areas of privacy, patient safety, availability, and security. In particular, data loss or corruption of medical devices, which often contain protected health information (PHI), can result in significant downtime or fines if compromised. To counter these risks, healthcare delivery organizations (HDOs) must continue to integrate and manage their medical devices within the overall healthcare infrastructure and IT lifecycle.
There are many ways to approach managing connected medical devices: from IT infrastructure technology support, security and networking technologies to lifecycle process improvements. While there is no single solution to every issue, the integration of a set of solutions and capabilities can address core issues in several areas. Watch the video for a quick look at healthcare technology support solutions.
Inventory and discovery
Keeping track of your devices in the Internet of Medical Things (IoMT) requires more than just collecting the right device information. You must also understand what PHI is on the device, its function and utilization, and what other devices it “talks” to.
Several toolkits have been developed to identify and fingerprint IoT and IoMT devices. They sit on the network and perform deep packet inspection to identify device information, typically stripping out any PHI. Depending on the product, these solutions not only identify the device but may also be able to determine the risk profile of that device by analyzing utilization, network traffic and real-time data from existing inventories. If you combine these capabilities with systems that profile IT assets, track inventory and handle ticketing and repairs, you can get a better understanding of your overall healthcare environment.
Analysis and reporting
Original equipment manufacturers (OEMs) for medical devices are expected to publish information on general maintenance, patching and risk management. It can be a challenge for the HDO to then analyze the considerable amount of data about device risks, prioritize the information and conduct remediation planning.
An organization should be able to collect, organize and catalog the required information in a single dashboard. By using analytic capabilities, these devices can be ranked according to their risk across a spectrum of confidentiality, integrity, availability and patient safety. Appropriate remediation plans can then be defined for each device type.
Remediation and patching
How do you keep your devices up to date? While OEMs may issue guidance using their websites, patch advisories and Manufacturer Disclosure Statements for Medical Device Security (MDS2), they are sometimes behind schedule in providing appropriate patching, testing and guidance.
It’s critical that you understand what can be patched, how to patch it and how to test the patch. However, specialized skills are often required to patch and maintain most medical devices. By working with OEMs and third-party maintenance organizations for medical devices, your IT support teams can define the appropriate patch and remediation by device type. If a patch isn’t available, the HDO can leverage technical and compensating controls to reduce the device risk. By understanding the risk profile, the HDO can also determine if they need to push the OEMs through the appropriate channels to issue the patch.
Networking and security
To hackers, connected medical devices are vulnerable entry points that can be attacked by malware or viruses. You must have increased security around these vulnerabilities, but that’s easier said than done. It can be difficult to implement the broad and varied options for security and networking. Depending on how the technical and compensating controls are deployed, network access to your devices could become more complicated.
Understanding best practices around how to manage the broader healthcare infrastructure from a technology risk and IT lifecycle perspective will help you avoid key IT support issues. An architecture and roadmap for key technical and compensating controls around areas such as network segmentation, network access control, firewall and IDPS rules, and SIEM use cases should be developed to manage risks associated with IoMT and IoT devices.
Critical 24×7 systems such as electronic health records and the infrastructure that supports them must be maintained and serviced so they can run without interruption. However, managing the contractual relationships to fully support the number and variety of vendors associated with your connected technologies and medical devices can be an overwhelming and time-consuming task. Not having a good approach to address the lifecycle maintenance of all connected systems and IoT devices can expose your organization to availability issues, cyberattacks and possible data breaches.
Having a single point of contact for IT support and integrating with medical device maintenance can alleviate the burden on your internal IT support teams and drive cost savings due to increased efficiency and ROI optimization. Globally, IBM has the largest third-party IT maintenance services organization, which includes several multivendor support solutions to help organizations centralize and manage their vendors.
Simplify device management through lifecycle integration
To effectively address the challenges discussed in this post, the people, processes, and technologies need to come together in an integrated fashion across IT and the corresponding departments. Only then can each of these capabilities be used throughout the organization to simplify IoMT device management. The more progressive organizations have been working to integrate the following systems and technologies to ensure implementation of the appropriate technical and security controls:
- Inventory and discovery
- Analysis and reporting
- Patching and remediation
- Linkage to the computerized maintenance management systems (CMMS) or ticketing and service management systems such as ServiceNow
- Network oriented technologies such as microsegmentation and network access control (NAC) such as Cisco Identity Services Engine
- Security information event management (SIEM) such as IBM QRadar
- Firewalls and intrusion detection and prevention systems (IDPS)
Recognizing that organizations will operate various applicable technologies in different ways, IBM is working to build a standardized approach and services to integrate these types of systems and capabilities so that the burden of managing connected devices is greatly reduced. Several OEMs and regulatory bodies are also taking active steps to address the patching and software security of IoT and IoMT devices.
While there is no silver bullet to any of these issues, a coordinated and orchestrated approach to managing the IT lifecycle of your connected devices can have enduring benefits. IBM welcomes the opportunity to work with HDOs, OEMs and technology organizations to improve the capabilities in this challenging space. Learn more about IBM Healthcare Technology Support Solutions.