Journey to TrustSafety Effectiveness and Security Programs

for Medical Devices and Systems

Scripps Health San Diego, CA

Scot Copeland, BSITSEC, MCP, Sec+

Medical IT Network Risk Manager

Framework for Achieving Trust

Adapted from Center for Medical

Interoperability (C4MI) 2015

Information Exchange and Use

SafeFreedom from

unacceptable risk of

harm / unintended

consequences

Effective

Clinical & Business

Functions /

Essential Performance

SecureConfidentiality,

Integrity

Availability &

Accountability

TRUSTAll Stakeholders

Health

Technology ManagementFramework of Policies, Processes,

Tooling and Guidance

Ne

two

rke

d C

lin

ical

Tec

hn

olo

gy

Man

ag

em

en

t M

atu

rity

Connectivity

Interoperability

Tooling to support design,

acquisition, configuration

and performance monitoring

Standards / guidance/

best practices

Hospitals / Care Providers

Wireless device and system vendors

Wireless infrastructure vendors

Government ( FCC/ FDA)

InfrastructureInte

rop

era

bilit

y

Matu

rity

Medical IT

network risk

management

Recognition of Medical Device

Security Needs

Early Adoption

• HIPAA = privacy and security

• Clinical System Specialists Role

• Security Patch Management

– “Infosec” PM’s

• Medical Device networking properties in CMMS

• Involvement with I.T. Change Management

• Ad Hoc risk reviews

– Infusion pump implementation

• risk from WEP encryption

• Secure disposal of devices capable of storing ePHI

2007 Internal Audit

2007 Internal Audit Findings

• Technical

• Medical Device/System security not addressed before installation

• Server Back-up Restore

• Security Patches/Updates

• Configuration/Hardening

• Access control/Privileges

• Physical Security

• IP Addresses not documented

• MDS2 not received

• Not all Medical Devices/Systems tracked in CMMS

• Organizational• C.I.A. related roles not documented in job descriptions• Business Associate Agreements not centralized• Those responsible for security were “silo’d” from other functions

Medical Device Information

Security Committee

• Members:

– Biomedical

Engineering

– Audit and Compliance

– Information Services

– Clinical Risk

Management

Medical Device Information

Security Committee

• Sub-committee of the Information Security Steering

Committee

• FY 2015 Objectives - Medical Devices and Systems

– Complete a Risk Assessment of Critical Medical Device Types

– Complete a Gap Analysis of Medical Device Policies and Standards

– Establish a vulnerability management strategy and priorities

– Ensure validated Medical Device OS updates and patches are up to

date

– Complete a Medical Device/System Firewall installation and

configuration

– Develop an ongoing education and awareness strategy for users

and maintainers of medical devices

Framework for Achieving Trust

Adapted from Center for Medical

Interoperability (C4MI) 2015

Information Exchange and Use

SafeFreedom from

unacceptable risk of

harm / unintended

consequences

Effective

Clinical & Business

Functions /

Essential Performance

SecureConfidentiality,

Integrity

Availability &

Accountability

TRUSTAll Stakeholders

Health

Technology ManagementFramework of Policies, Processes,

Tooling and Guidance

Ne

two

rke

d C

lin

ical

Tec

hn

olo

gy

Man

ag

em

en

t M

atu

rity

Connectivity

Interoperability

Tooling to support design,

acquisition, configuration

and performance monitoring

Standards / guidance/

best practices

Hospitals / Care Providers

Wireless device and system vendors

Wireless infrastructure vendors

Government ( FCC/ FDA)

InfrastructureInte

rop

era

bilit

y

Matu

rity

Medical IT

network risk

management

Implementation of

ISO/IEC 80001

• Introductory training

• Readiness assessment

• Interviews and questions for

key stakeholders

• Information services

• Audit and Compliance

• Clinical Risk

Management

• Biomedical Engineering

– 15 action items

• Build on practices

already in place

ISO/IEC 80001-2-7 Self-

assessment Process ModelRisk Management Processes:

ResponsibleOrganisation

Medical Device

Manufacturer

Providers ofOther IT

Technology

Risk Management Policy ProcessesRisk Management Policy

PLAN

Medical IT Network Risk Management Planning ProcessesMedical IT Network Planning Responsibility Agreements

Medical IT Network Documentation Organisational Risk Management

CHECK

M

Medical IT Network Risk Management Processes

Medical IT Network Risk ManagementRisk Analysis & EvaluationRisk Control Residual Risk

Change Release Management & Configuration ManagementChange Release & Configuration ManagementDecision on how to apply Risk Management

Go Live

Live Network Risk Management ProcessesMonitoring Event Management

DO ACT

Key Organizational

Improvements

• Medical I.T. Network Risk Manager Role

• Developed Job Description based on Safety Officer, Risk and

Project Managers

• Modified several existing policies regarding:

• I.T. Risk Management Program

• I.T. Project Approval and Management

• I.T. Change Management

• Information Security Program

• Information Technology Vendor Selection and Management

More Organizational

Improvements

• Involvement with I.T. Committees and functions:

• ITRM

• ISC

• Policy and Standards Committee

• I.T. Due Diligence (Capital Projects)

• I.T. Change Management

• Developed tools for operationalizing risk management processes

• People - advocates for Medical IT Network risk management

• Checklists

• Templates

• Risk Management Plans

• Risk register

Wireless Monitoring Risk Analysis

• Meeting to brainstorm hazards– Clinical users

– Clinical Risk Mangers

– Biomedical Engineering

– IT

• Assign severity, probability scores and calculate risk level

• What risks will be reduced or accepted?

• Ongoing monitoring of risk controls

Lessons Learned

Telemetry Monitoring System failures due to Cybersecurity Vulnerability scanning

• Over 200 patients on 5 systems unmonitored for 30 minutes, some over 3 hours

• Loss clinical monitoring and diagnostic data

• Near Miss Potentially reportable event

• Potential STEMI and TRAUMA Bypass/Community Healthcare Implications

• Disruption of patient throughput

• Clinical Staff turn to back-up procedures

• Patients not receiving routine care activities

Telemetry Monitoring System

failure:

What would 80001 Impact?

• Configuration management / know different

challenges with medical device technology

• Medical device vulnerabilities understood

• Medical I.T. Risk Manager would have an integral

role

• Broader organizational coordination (only IT /

vendor / info sec & audit / compliance were engaged)

Wireless Monitoring Failure due

to Network Upgrade activities

• Over 50 patients unmonitored or in local mode for 30 minutes, some over 4 hours

• Lost clinical monitoring and diagnostic data

• Near miss potentially reportable event,

• Potential STEMI and TRAUMA Bypass/Community Healthcare Implications

• Disruption of patient throughput

• Clinical Staff downtime procedures 4 pts/RN X 30’ to 3 hrs = 6-36 hrs lost patient care time.

oPatients not receiving routine care activities

Wireless Monitoring Failure due to

Network Upgrade activities

What would 80001 Impact?

• Configuration management – would have

understood what was live and what was not

• Medical I.T. Risk Manager would have an integral

role

• Medical I.T. Network Risk Management Plan would

have covered these activities / risks would have been

anticipated and properly addressed

Next Steps

• Hire Medical IT Network Risk Manager

• Risk Assessment on firewall installation for

medical device with published

administrative passwords

• Development of responsibility agreement

in consultation with key vendors

Thank you

Scot Copeland

Copeland.scot@scrippshealth.org