The last of the seven-part CHIME Medical Device Security Webinar series focused on building a business case for next-gen medical device solutions. In our wrap up webinar, we delved into the featured topic with two special guests.
- Matt Dimino: VP of Operational Technology and Security at First Health Advisory. Mr. Dimino’s professional credentials include CEH, CISM, CISC, and HCISPP.
- Chuck Christian: With over 40 years of experience in healthcare IT, Mr. Christian, is VP of Technology and CTO of Franciscan Health and a Life Fellow Member of both CHIME and HIMSS.
We began Episode 7 with Mr. Dimino briefly refreshing us on the unique challenges, risks, and threats associated with medical devices, and the burgeoning marketplace for cybersecurity tools to address them. The formidable obstacle in any major organizational initiative is often simply articulating a compelling case to executives and departmental management to decide upon an actionable plan. There is a perception cybersecurity drains funds and is among the foremost detriments to one’s case for next-gen security tools. Adding his insight to the discussion, Mr. Christian comments, “At a lot of the places I’ve seen over time, medical organizations look at security as an expense that can be avoided, and that they can ‘roll the dice’ and accept the risk.”
Successfully persuading budget-conscious decision-makers requires recharacterizing device security as an investment rather than an expense; building value through not only avoiding costs in risk reserves and hedging, but recovering unrealized revenues by correcting operational inefficiencies as well.
Emphasizing integration capabilities is critical in building your case. Healthcare Delivery Organizations (HDOs) frequently have a patchwork of partial security solutions across varying departments. For instance, Healthcare Technology Management (HTM) or Biomed may have a Computerized Maintenance Management System (CMMS), IT manages a Configurations Management Databse (CMDB), and the maintenance techs work out of spreadsheet. With the right vendor, an Medical Device Security (MDS) or discovery and monitoring tool can be integrated into the existing enterprise architecture, and constructed into a unified, streamlined system that fills the gaps of under-connected personnel and departments, enhances the utility of existing security tools, and provides a centralized hub of organizational intelligence and coordination. More often than not, implementing a complete next-gen solution is not a scorched earth or start-from-scratch ordeal. Instead, it is identifying and inserting the missing piece of the medical device security puzzle.
Illustrating the numerous vectors from which returns on a security tool investment are expected is equally essential to its rationale. Mr. Christian and I examine some of the use cases Franciscan Health considered during the process of selecting an MDS tool. For example, workflow management reflects the potential for procedure data revealing OT capacity configurations that optimize device utilization. Fleet management attempts to quantify how granular network visibility produces superior intelligence for capital planning and lease-or-buy decisions. The microsegmentation use case estimates the value of HTM and IT labor, which in the absence of having to manually segment devices, can be assigned to other priorities.
A sincere thank you to all who attended this webinar series, the guests who contributed their invaluable expertise, and to CHIME for allowing me to design and host this series. All seven archived episodes of the Medical Device Security webinar series are available to stream for CHIME members or for purchase on store.ignitedigital.org.
For the last 4 years, Ty has been the CEO of Cyber Tygr, a company dedicated to improving and protecting the privacy, cybersecurity and compliance of our nation’s Health Industry by operationalizing advanced technologies. As a result of his intensive efforts in supporting the cybersecurity posture of healthcare medical devices and facility equipment, Nuvolo has brought him on board to spearhead their new Cyber OT module. Mr. Greenhalgh is an active member in several groups and associations, such as Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Workgroup, the Department of Health and Human Services 405(d) Workgroup and the Department of Commerce National Information and Telecommunications Agency.