Cybersecurity and device integration unlock new opportunities for HTM collaboration
May 08, 2017
by Lauren Dubinsky, Senior Reporter
Eighty-eight percent of last year’s ransomware attacks were directed at the health care industry, according to a report by cybersecurity company NTTSecurity.
The FDA believes that the solution involves a collaborative effort among medical device manufacturers, hospitals, other health care facilities, health care IT technicians and biomedical engineers.
In a statement from June 2013, the agency recommended that steps be taken to assure safeguards are in place to reduce the risk of cyberattacks. In December 2016, the FDA released recommendations on managing post-market cybersecurity vulnerabilities for medical devices throughout the product life cycle.
But what role do biomedical engineers, also known as health technology management professionals, play in keeping these devices secure? And with everything else on their plate, do they have the time?
Tim Riehm, regional vice president for clinical technology management at Sodexo, who formerly ran the in-house biomedical engineering department at Banner Health, doesn’t think so. “For the vast majority, it’s not even a thought at the top of their head because they have too many other worries and things that they’re devoting their attention to like hospital projects and the lack of staff and resources,” he says.
Hospitals are often looking to cut costs, and one of the first areas they consider is labor. The University of New Mexico Health Sciences Center in Albuquerque announced in December that it had to eliminate more than 500 positions.
“The fact that they might need an extra body in the biomedical engineering department doesn’t mean they are going to get one, even if the work requires it,” says Riehm. “If they’re reducing nurse, physician, IT and finance head counts, they’re not going to give the biomedical department an extra body.”
Because of that, hospitals are looking to independent service organizations (ISOs) to help with device security. Sodexo offers its Electronic Protected Health Information (EPHI) program and suite, which helps to identify and mitigate device security challenges.
The program records the device’s information, including the type of platform it’s on, and then conducts an assessment to determine if the device has low, medium or high vulnerability. Sodexo then works with the hospital IT department to put mediation plans in place for each device.
Renovo Solutions offers software called CE-IT Live that complies with the Association for the Advancement of Medical Instrumentation’s standard for the risk management of networked medical devices.
The software reviews the hospital’s medical device data systems and then implements safeguards to eliminate vulnerabilities or block threats that were found in the assessment phase.
It also addresses the source of the security risks, which fall into the people, equipment or environment categories. A series of administrative, technical and physical safeguards and controls are then put in place to mitigate those risks.
Hiring an ISO to handle cybersecurity is one option, but the other option is handing the responsibility to the IT department. John Rossetti, director of biomedical services at Nassau University Medical Centerin East Meadow, New York, says that when the hospital purchases networked devices, they’re placed behind a firewall, which the IT technicians maintain.
Sharon P. Burnham, biomedical equipment technician at Matagorda Regional Medical Center in Bay City, Texas, says that the IT department monitors all of the desktops for any kind of breach. Her responsibility is to ensure that the patient central stations are in lockdown so they can’t be breached by operators.
“This does not protect a hospital 100 percent — nothing ever will,” says Riehm. “Since people can hack into our government, they can get into any system a hospital has. What we’re trying to do is reduce the vulnerability and risks associated with those devices and make it as difficult as possible for something to obtain that information.”
The merging of two departments
Device integration has created a new relationship between biomedical engineering and IT. Two departments that had nothing to do with each other in the past now must communicate on an almost daily basis.
Both Rossetti and Burnham are included in the IT department meetings at their hospitals. Rossetti recently had a meeting with the chief information officer to purchase new EKG machines because they have to be set up to be compatible with the electronic medical record (EMR).
Robert Harry, clinical engineering service site director at Feather River Hospital in Paradise, California, sent his engineers to formal training for network-based devices and systems.
“In the past, our responsibility was to make sure that our medical equipment was sending data to a central monitoring system through a gateway server, and then from then on it wasn’t our responsibility,” he says. “Things are changing now because we are taking over these gateways and our staff is being trained in health care IT so they can maintain and troubleshoot issues with servers.”
Harry has requested a test patient EMR so that his team can perform their own tests to see if vitals and other information from the medical equipment is flowing into the EMR. He says the hospital is currently working on getting one.
His long-term goal is to have his own IT department within the biomedical engineering department, which is something Feather River Hospital has been working toward for the past five years.
“There is a severing of responsibility,” says Harry. “ PACS is controlled completely by the IT department, but I think in the future it will be controlled by health care technology management.”
ISO perspective
“[Device integration] has opened up some new challenges and opportunities around the IT skill sets needed for our engineers,” says Sodexo’s Riehm. “It’s particularly an area where our staff probably doesn’t already have those skill sets, so we are looking at increasing our capacity and capabilities with IT integration.”
Renovo is taking the same approach by encouraging their biomedical engineers to become more cognizant of how IT systems work by being trained in networking and other IT disciplines.
“In the past biomedical departments and IT departments never had a need to speak with each other, but now the two disciplines are coming much more closely together and the lines separating the two are much blurrier, if not completely gone,” says Sandy Morford, CEO of Renovo.
Just like the in-house biomedical engineering department, ISOs have to work hand in hand with the IT department at a client hospital. If the problem concerns the medical device or system, then the biomedical engineer takes care of it, but if there’s a communication breakdown between the device and EMR, they work together with IT.
“We don’t just turn it over to the IT department and tell them this is where their responsibility stops and where theirs starts,” says Morford. “It’s a joint responsibility, so together, as a team, we attack that problem.”
Greater access to training needed
Riehm hopes the outcome of the FDA docket on third-party servicing and refurbishment of medical devices will be greater access to OEM training for both in-house biomedical engineers and ISOs.
“It’s still very difficult in some instances to get the training or to get access to resources that you need to service systems as an in-house biomedical engineer, even down to service manuals and things like that,” he says.
In a formal response to the docket, Renovo stated that, “all third-party servicers would appreciate a level playing field in which the device manufacturers would make available at a reasonable cost all necessary repair parts, thorough repair documentation and ‘factory’ training.”
Riehm explains that it’s generally easy to get access to OEM training for general medical devices, but that they are still very restrictive when it comes to imaging and specialty equipment.
“It is a challenge and it’s one where I would say even OEM to OEM they are doing themselves no favor,” he says. “If it opens up access to training and support and makes every biomedical engineer a better one, which obviously makes the equipment much safer, I think that would be a wonderful outcome.”
The FDA believes that the solution involves a collaborative effort among medical device manufacturers, hospitals, other health care facilities, health care IT technicians and biomedical engineers.
In a statement from June 2013, the agency recommended that steps be taken to assure safeguards are in place to reduce the risk of cyberattacks. In December 2016, the FDA released recommendations on managing post-market cybersecurity vulnerabilities for medical devices throughout the product life cycle.
But what role do biomedical engineers, also known as health technology management professionals, play in keeping these devices secure? And with everything else on their plate, do they have the time?
Tim Riehm, regional vice president for clinical technology management at Sodexo, who formerly ran the in-house biomedical engineering department at Banner Health, doesn’t think so. “For the vast majority, it’s not even a thought at the top of their head because they have too many other worries and things that they’re devoting their attention to like hospital projects and the lack of staff and resources,” he says.
Hospitals are often looking to cut costs, and one of the first areas they consider is labor. The University of New Mexico Health Sciences Center in Albuquerque announced in December that it had to eliminate more than 500 positions.
“The fact that they might need an extra body in the biomedical engineering department doesn’t mean they are going to get one, even if the work requires it,” says Riehm. “If they’re reducing nurse, physician, IT and finance head counts, they’re not going to give the biomedical department an extra body.”
Tim Riehm
The program records the device’s information, including the type of platform it’s on, and then conducts an assessment to determine if the device has low, medium or high vulnerability. Sodexo then works with the hospital IT department to put mediation plans in place for each device.
Renovo Solutions offers software called CE-IT Live that complies with the Association for the Advancement of Medical Instrumentation’s standard for the risk management of networked medical devices.
The software reviews the hospital’s medical device data systems and then implements safeguards to eliminate vulnerabilities or block threats that were found in the assessment phase.
It also addresses the source of the security risks, which fall into the people, equipment or environment categories. A series of administrative, technical and physical safeguards and controls are then put in place to mitigate those risks.
John Rosetti
Hiring an ISO to handle cybersecurity is one option, but the other option is handing the responsibility to the IT department. John Rossetti, director of biomedical services at Nassau University Medical Centerin East Meadow, New York, says that when the hospital purchases networked devices, they’re placed behind a firewall, which the IT technicians maintain.
Sharon P. Burnham, biomedical equipment technician at Matagorda Regional Medical Center in Bay City, Texas, says that the IT department monitors all of the desktops for any kind of breach. Her responsibility is to ensure that the patient central stations are in lockdown so they can’t be breached by operators.
“This does not protect a hospital 100 percent — nothing ever will,” says Riehm. “Since people can hack into our government, they can get into any system a hospital has. What we’re trying to do is reduce the vulnerability and risks associated with those devices and make it as difficult as possible for something to obtain that information.”
Sharon P. Burnham
The merging of two departments
Device integration has created a new relationship between biomedical engineering and IT. Two departments that had nothing to do with each other in the past now must communicate on an almost daily basis.
Both Rossetti and Burnham are included in the IT department meetings at their hospitals. Rossetti recently had a meeting with the chief information officer to purchase new EKG machines because they have to be set up to be compatible with the electronic medical record (EMR).
Robert Harry, clinical engineering service site director at Feather River Hospital in Paradise, California, sent his engineers to formal training for network-based devices and systems.
“In the past, our responsibility was to make sure that our medical equipment was sending data to a central monitoring system through a gateway server, and then from then on it wasn’t our responsibility,” he says. “Things are changing now because we are taking over these gateways and our staff is being trained in health care IT so they can maintain and troubleshoot issues with servers.”
Robert Harry
Harry has requested a test patient EMR so that his team can perform their own tests to see if vitals and other information from the medical equipment is flowing into the EMR. He says the hospital is currently working on getting one.
His long-term goal is to have his own IT department within the biomedical engineering department, which is something Feather River Hospital has been working toward for the past five years.
“There is a severing of responsibility,” says Harry. “ PACS is controlled completely by the IT department, but I think in the future it will be controlled by health care technology management.”
ISO perspective
“[Device integration] has opened up some new challenges and opportunities around the IT skill sets needed for our engineers,” says Sodexo’s Riehm. “It’s particularly an area where our staff probably doesn’t already have those skill sets, so we are looking at increasing our capacity and capabilities with IT integration.”
Renovo is taking the same approach by encouraging their biomedical engineers to become more cognizant of how IT systems work by being trained in networking and other IT disciplines.
Sandy Morford
“In the past biomedical departments and IT departments never had a need to speak with each other, but now the two disciplines are coming much more closely together and the lines separating the two are much blurrier, if not completely gone,” says Sandy Morford, CEO of Renovo.
Just like the in-house biomedical engineering department, ISOs have to work hand in hand with the IT department at a client hospital. If the problem concerns the medical device or system, then the biomedical engineer takes care of it, but if there’s a communication breakdown between the device and EMR, they work together with IT.
“We don’t just turn it over to the IT department and tell them this is where their responsibility stops and where theirs starts,” says Morford. “It’s a joint responsibility, so together, as a team, we attack that problem.”
Greater access to training needed
Riehm hopes the outcome of the FDA docket on third-party servicing and refurbishment of medical devices will be greater access to OEM training for both in-house biomedical engineers and ISOs.
“It’s still very difficult in some instances to get the training or to get access to resources that you need to service systems as an in-house biomedical engineer, even down to service manuals and things like that,” he says.
In a formal response to the docket, Renovo stated that, “all third-party servicers would appreciate a level playing field in which the device manufacturers would make available at a reasonable cost all necessary repair parts, thorough repair documentation and ‘factory’ training.”
Riehm explains that it’s generally easy to get access to OEM training for general medical devices, but that they are still very restrictive when it comes to imaging and specialty equipment.
“It is a challenge and it’s one where I would say even OEM to OEM they are doing themselves no favor,” he says. “If it opens up access to training and support and makes every biomedical engineer a better one, which obviously makes the equipment much safer, I think that would be a wonderful outcome.”