Episode Five of the seven-part CHIME Medical Device Security webinar series aired last week, with the featured topic of discussion being Operationalizing, Standardizing and Contextualizing. As the host of webinar series, I was joined by two senior executives at Nuvolo. Tony Bailey is the Director of Product Marketing for OT Security, and Dustin Smith is a Senior Solutions Consultant and formerly the Director of Central Support for Healthcare Technology Management at Intermountain Healthcare.

In the episode we delved into the security solutions for medical devices available to Health Delivery Organizations (HDOs), including what they do, why they are necessary, and potential integrations between them. As the guest speakers both represent Nuvolo, the OT Security module of their integrated workplace management system (IWMS), branded as the “Connected Workplace”, is used to demonstrate how device data is transformed into meaningful and actionable intelligence. Operational Technology (OT), as defined by Mr. Bailey, are non-IT assets in a medical facility that have the ability to connect to a network. This includes medical devices and facility and laboratory equipment. OT is distinguished from IT by being directly utilized in healthcare operations and is mission-critical to the organization, necessitating a heightened level of security. Traditional IT security tools are unable to provide the contextual data of a device’s operations, and a detected vulnerability or anomaly can consequently cause a communication schism between departments. Once discovered, IT personnel attempt to identify a remediation that does not disrupt operations or mishandle a device with Healthcare Technology Management (HTM) personnel, who as of then were unaware of any problem. An OT cybersecurity tool, as an extension of a computerized maintenance management system (CMMS), resolves this problem by providing a single inventory of devices, utilizing a common data model, and uniformly distributing remediation workflows to IT and HTM personnel.

Of course, an OT Security solution such as that offered by Nuvolo is only as effective as the quality of the incoming network and device data it relies upon to generate workflows and strategy. Mr. Bailey emphasized that integration with a passive monitoring and discovery tool is vital for optimizing the benefits of the OT Security module. For this reason, Nuvolo has partnered with providers of complementary systems such Ordr and simplified the integration process for a seamless and efficient implementation and operation of a combined cybersecurity solution.

Next, Mr. Smith demonstrated an integrated Nuvolo system. He presented an overview of the user interface, as well as its capabilities to automate policy-making and coordinate remediation responses among HTM, IT, and “boots-on-the-ground” technicians. Equally important is the tracking of vulnerabilities across device categories and manufacturers, identification of trends and correlations, and prioritization of remediation resources according to risk level and threat severity. One function of potentially overlooked importance is the detection of unknown devices through passive network scanning by the integrated monitoring and discovery tool. When these mystery devices not in the CMMS’s centralized inventory suddenly appear on the network, it can reveal valuable insights into operations and personnel activity occurring in the facility. For instance, a flurry of unknown devices could be short-term equipment rentals, indicating a re-evaluation of the in-house device fleet may be prudent, as a buy-or-rent analysis could reveal long-term cost savings in adjusting inventory levels. Alternatively, unknown devices may be the consequence of improper onboarding due to technician oversight or an unreliable asset onboarding process, or instead it may be a clinician using trial equipment without notifying HTM. Regardless of the cause, discovery of unknown devices can be a worthwhile prompt for further investigation, which is vastly simplified by the resources available through the Nuvolo dashboard.

Check back for Episode Six featuring Mayo Clinic and how they have leveraged Ordr and Nuvolo to create Next Gen Tools for Medical Device Cybersecurity.

If you missed an episode, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.

In episode three of the seven-part CHIME webinar series, Public-Private Partnerships to Secure Medical Devices, I am joined by five guest speakers representing three public-private initiatives addressing current issues in the healthcare ecosystem.

• Mike Powers, MBA: Representing the Legacy Devices task group within the Healthcare Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group. Mr. Powers is a Clinical Engineering Director at Intermountain Healthcare and a member of the AAMI Healthcare Technology Leadership Committee.
• Samantha Jacques, PhD: Dr. Jacques is also from the HSCC Joint Cybersecurity Working Group and is the Vice President of Clinical Engineering at McLaren Health Care, vice-chair of the AAMI Healthcare Technology Leadership Council, and a fellow of the American College of Healthcare Executives.
• Alex Wolf: Another representative of the HSCC Joint Cybersecurity Working Group as the Model Contract Language task group leader, Mr. Wolf is a Cybersecurity Specialist at Cleveland Clinic.
• Jim Jacobson: From the National Telecommunications and Information Administration (NTIA) Software Component Transparency work group, Mr. Jacobson is the Chief Product and Solution Security Officer of Siemens Healthineers, and Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic.
• Tola Amusan, MBA: Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic and also a member of NTIA.

Our first topic was addressed by Mr. Powers and Dr. Jacques on their projects at the HSCC’s Legacy Device work group. Officially, legacy devices are defined by the International Medical Device Regulators Forum as simply those that cannot be protected against current cybersecurity threats. In contrast to this vague description, Dr. Jacques elaborated on how clinical engineers of Health Delivery Organizations (HDOs) alternatively define them as devices no longer supported by the manufacturer, necessitating reactive strategies like microsegmentation and network monitoring to keep them secure. The task group’s upcoming publication will provide guidance on the core practices, challenges, recommendations, and HDO and Medical Device Manufacturers (MDM) perspectives. One critical area of contention it aims to resolve is the difference between “end of life” and “end of support.” To an MDM, “end of life” may potentially be initiated to justify terminating post-sale technical support, instructional material, and/or patch availability to incentivize replacement. From an HDO perspective, an unsupported device may still function perfectly, and prematurely relegating it to end-of-life status is often infeasible or cost prohibitive. As Mr. Powers concisely summarizes the distinction, “It’s end-of-life when I push the ‘ON’ button and it doesn’t turn on.”

“It’s end-of-life when I push the ‘ON’ button and it doesn’t turn on.”

Mike Powers MBA, Clinical Engineering Director at Intermountain Healthcare

Next, Mr. Jacobson and Mr. Amusan presented their work on Software Bills of Materials (SBOMs) at the NTIA. An SBOM is the list of “ingredients,” or the individual components of which a device’s software is composed. Explained by Mr. Jacobson, the task group has been creating a proof-of-concept SBOM since 2018. Their goal is to provide standardized and automated formats for use by manufacturers. Mr. Amusan highlighted the various use cases of how HDOs may utilize SBOMs across Healthcare Technology Management (HTM) functions ranging from procurement, asset management, risk management, vulnerability and patch management, and device life-cycle management.

In the final segment of the webinar, Mr. Wolf presented an overview of the HSCC’s Model Contract Language task group. Its foremost objective is establishing shared cooperation between MDMs and HDOs in regard to security, compliance, management, operation, and security of MDM-managed medical devices. The task group has been working a contract template for organizations of any size, which simplifies cybersecurity requirements and expectations between parties, and aligns with existing standards like NIST and the FDA Post-Market Guidance. A point of particular emphasis in the delegation of compliance responsibility and liability between parties. Security breaches to devices are an inevitability, so clearly establishing the duties and obligations ensures the HDO and MDM are prepared to recover, and to prevent. To quote Mr. Wolf, “In the event that something goes wrong, both parties are aware of those expectations and have a good understanding how to work through those issues.”

Episode Four blog of the CHIME’s Medical Device Security webinar series is up next. If you missed any of the previous episodes, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.