Continuing an ongoing theme explored throughout the CHIME Medical Device Security webinar series, the central subject of Episode 6 discussion and analysis was the necessity of device monitoring and discovery tools (aka medical device security or MDS) and a computerized maintenance management system (CMMS) to adequately protect a clinical network from the serious threats that are now a reality faced by managers of critical infrastructure across countless industries.
Either tool on its own is only a partial solution, and a true next-gen technological approach is an integration of both into a unified system.
Mayo Clinic has been pioneering exactly such a solution in its HTM Cybersecurity Program. Today, I was joined by two pivotal members of HTM leadership at Mayo Clinic.
- Keith Whitby, MBA, CHTM, is the Healthcare Technology Management Section Head and has 20 years of experience in IT and HTM service experience.
- Kurt Griggs, CRISC, CISA, MCSE is a Senior Manager of HTM and has over 28 years of experience in IT and IS risk management and information security.
Previously in Episodes 4 and 5, we discussed Mayo’s selected vendors of both tools, Ordr and Nuvolo respectively. Today our discussion turned to the finer details of their integration in the live environment.
“A true next-gen technological approach is an integration of tools into a unified system”
As thoroughly explored in previous episodes, Mr. Whitby starts by summarizing the inherent risks of medical devices:
- Dispersal of ePHI
- Low granular visibility amongst all IoT
- Inventory challenges
- Coordinating IT and HTM remediation responses
- Real-time incident identification
- Diverse hardware and software specifications
- Extended lifecycles of high-capital legacy devices.
At the outset of Mayo’s journey to build a comprehensive solution to these problems, the first step was constructing a framework for the project’s objectives and guiding doctrine of security. Mr. Griggs elaborated on the influences of the Program’s foundational thesis, which includes the NIST Cybersecurity Framework, and the AAMI publications Medical Device Cybersecurity: A Guide for HTM Professionals and Technical Information Report 57: Principles for Medical Device Security – Risk Management.
Having completed the MDS and CMMS vendor selection, installation in facilities, integration and incorporation into the overarching enterprise information system, Mayo entered the most exhaustive and prolonged phase of implementation; that of gradual refinement of the technology itself and organizational processes and procedures through careful analysis of feedback and intelligence. A core concept of the Program is the Security Lifecycle Profiles (SLPs), defined by Mr. Griggs as “living profiles” of devices. Mayo committed to fully leveraging the capabilities of the solution from the start, and the fully automated, dynamic, and real-time device records and analytics of SLPs is a testament of that steadfast persistence of recalibrating the system until its operationalization capabilities are completely optimized. For an investment of this scale, and for the scale of the risks it mitigates, it is essential that the HDO recognize the vast, unrealized potential caused by taking half-measures and making compromises. I feel like “Mayo is living the standards that have yet to be set.”
“Mayo is living the Medical Device Security standards that have yet to be set.”
Be sure to attend the conclusion of the 7-part CHIME Medical Device Security Webinar series, A Business Case for Next Gen Medical Device Solutions. If you missed an episode, you can view my recap here and register for the entire series.
For the last 4 years, Ty has been the CEO of Cyber Tygr, a company dedicated to improving and protecting the privacy, cybersecurity and compliance of our nation’s Health Industry by operationalizing advanced technologies. As a result of his intensive efforts in supporting the cybersecurity posture of healthcare medical devices and facility equipment, Nuvolo has brought him on board to spearhead their new Cyber OT module. Mr. Greenhalgh is an active member in several groups and associations, such as Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Workgroup, the Department of Health and Human Services 405(d) Workgroup and the Department of Commerce National Information and Telecommunications Agency.