© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited. Approaches to Cybersecurity The Role of Healthcare Technology Management in Facilitating Medical Device Cybersecurity Know and Use the New! Right Symbols Mike Busdicker and Priyanka Upendra

Abstract: This article discusses the role of health- devices.1 This report surveyed 500 people who About the Authors care technology management (HTM) in medical work actively in medical device security. Today, Mike Busdicker, device cybersecurity and outlines concepts that are cyberattacks threaten to go beyond stealing MBA, CHTM, applicable to HTM professionals at a healthcare confidential patient information. The situation is the system Know the Right Symbols delivery organization or at an integrated delivery has reached a point where patients and caregiv- director of Clinical network, regardless of size. It provides direction for ers can be harmed. Engineering ANSI/AAMI/ISO 15223-1:2016 HTM professionals who are unfamiliar with the May and June 2017 also saw worldwide Support Services at Intermountain security aspects of managing healthcare technolo- cyberattacks by WannaCry and Petya outlines the regulatory requirements of Healthcare in Midvale, UT. gies but are familiar with standards from The Joint ransomwares. These attacks targeted systems Email: [email protected] symbols used on medical devices that are Commission (TJC). It provides a useful set of running on Windows operating marketed globally. recommendations, including relevant references for systems. The WannaCry cryptoworm affected Priyanka Upendra, incorporating good security practices into HTM more than 300,000 systems across 150 countries BSBME, MSE, CHTM, is the practice. Recommendations for policies, procedures, compliance and processes referencing TJC standards are easily manager Use the Right Symbols applicable to HTM departments with limited of Clinical resources and to those with no resource concerns. Engineering The authors outline processes from their organiza- Support Services at Intermountain Healthcare in Midvale, UT. Medical Device Symbols tion as well as best practices learned through Email: [email protected] is a digital file of 58 symbols in both information sharing at AAMI, National Health TIF and EPS formats that can be used Information Sharing and Analysis Center (NH-ISAC), and Medical Device Innovation, on your products, packaging, and Safety, and Security Consortium (MDISS) supporting materials. conferences and workshops.

In May 2017, The Ponemon Institute shared the findings of a survey that showed only 15% of healthcare delivery organizations (HDOs) and 17% of medical device manufacturers (MDMs) To purchase the Symbols and the Standard, were taking significant steps to prevent visit www.aami.org/Store. cyberattacks.1 A majority of them responded that an attack is likely in the next year Figure 1. Results from a Ponemon Institute survey (Figure 1), yet only 22% of HDOs and 41% of asking device makers and healthcare delivery organizations (HDOs) how likely an attack on their MDMs have an incident response plan in place medical devices is in the next 12 months. ... in the event of an attack on vulnerable medical Source: reference 1.

Horizons Fall 2017 19 © Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited. Approaches to Cybersecurity

of local data is important for mobile medical Healthcare Delivery Organization or Integrated Delivery Network? devices, this article will also consider medical • Healthcare delivery organization (HDO). A HDO is an organization, or devices that can store data internally but are not a group of related organizations, that are involved with the delivery of connected to the HDO network or Internet. healthcare services. A hospital is an example of an HDO, as are a group of Common connected medical device types physician practices acting in concert in an area.4 include: • Integrated delivery network (IDN). According to the Advisory Board, an • Diagnostic (e.g., blood analyzers, virus IDN “is a formal system of providers and sites of care that provides both detection systems, immuno-assays, healthcare services and a health insurance plan to patients in a defined geo- electrocardiographs, ultrasound systems) graphic area. The functionalities included in an IDN vary, but can include • Monitoring (e.g., physiological monitors, acute care, long-term health, specialty clinics, primary care, and home care weighing scales, ventilators, heart rate services—all supporting an owned health plan.”5 monitors) An IDN is a network of HDOs under a parent holding company that • Therapeutic (e.g., infusion pumps, anesthesia shares a vision and mission of improving the quality of care and patient units, pacemakers, dialysis units) satisfaction. This alignment positions IDN members to negotiate competi- Healthcare technology management (HTM) tive payer contracts, physician relationships, and enhanced supplier departments in a HDO or integrated delivery relationships and to drive contract compliance for products and services by network (IDN) face a daunting task of manag- leveraging the combined influence and buying power of the entire group.6 ing numerous service offerings (Figure 2). This includes8: • Strategic planning of healthcare technology by encrypting data and demanding ransom acquisition and replacement. payments in the Bitcoin cryptocurrency.2 The • Clinical consultation and education on the Petya malware affected systems by encrypting safe and effective use of healthcare technology. the hard drive’s , preventing Windows • Effective maintenance of healthcare from , and demanding payments in technology through in-house expertise and Bitcoin to regain access to the system.3 service contracts. According to the Food and Drug • Disaster preparedness and other issues that Administration (FDA), a medical device is impact patient safety. “an instrument, apparatus, implement, • Ensuring hospital compliance with accredita- machine, contrivance, implant, in vitro reagent, tion surveys and other regulations. or other similar or related article, including a component part, or accessory which is: • Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, • Intended for use in the diagnosis of disease of other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or • Intended to affect the structure or any func- tion of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body or other animals and which is not dependent upon being metabo- lized for the achievement of any of its primary intended purposes.”7 In this article, a connected medical device is defined as any medical device that possesses HDO network or Internet connectivity, is connected to an external storage device or Figure 2. The overlapping roles of the healthcare external media (e.g., USB, compact disc), or has technology management (HTM) profession. any other cyber capability. Because the protection Source: reference 8.

20 Horizons Fall 2017 © Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited. Approaches to Cybersecurity

Operationalizing Cybersecurity in HTM • Build relationships with partners and mem- Environment of Care (EC) standards estab- bers in the healthcare community to foster lished by The Joint Commission (TJC) require information sharing as related to medical HDOs to develop a plan to manage the risks device security associated with provisions of care, treatment, and An effective approach to achieving these HTM and IT departments services.9 One such functional area concerns essential actions is enhancing the medical operating within an the use of medical devices for patient care. The equipment management plan as established HDO or IDN must lay a standards established in this area promote a in EC.01.01.01 with cybersecurity concepts. strong foundation for safe, functional, and supportive environment The policies and procedures that support the within a HDO so that quality and safety are HTM department should incorporate managing cybersecurity preserved.9 HTM departments and, in some cybersecurity aspects throughout the life cycle risks in the medical cases, independent service organizations manage of the medical device: during planning and device ecosystem. medical devices and the associated risks. procurement; inspection, inventory, and A large percentage of HTM departments documentation; commissioning and accept- inspect, maintain, and repair general biomedical ance; ongoing operation and monitoring of use; equipment, (e.g., infusion pumps, physiological and performance, maintenance, and decom- monitors, weighing scales, ventilators, anesthe- missioning. Effective life cycle management sia units, electrocardiograms, electroencephalo- processes serve as a foundation to build grams, warmers, incubators). Some HTM cybersecurity risk management processes departments manage diagnostic and therapeutic uniformly and holistically. imaging equipment (e.g., ultrasound systems, computed tomography scanners, magnetic resonance imaging systems, linear accelerators) through full or shared service agreements with MDMs or authorized service providers (ASPs). Laptops, computers, servers, and other infor- mation systems associated with the medical devices are also often managed by the MDM, ASP, or through a shared agreement among the MDM, ASP, and the organization’s information technology (IT) department. HTM and IT departments operating within an HDO or IDN must lay a strong foundation for managing cybersecurity risks in the medical device ecosystem. The following actions are essential: • Improve the processes pertaining to the identification and validation of medical devices used for patient care • Improve the life cycle management procedures and processes used to review and manage cybersecurity risks • Accurately inventory, categorize, classify, and remediate medical device cybersecurity risks • Harden the cybersecurity of medical devices through identification and implementation of common cybersecurity controls • Establish contractual arrangements that obligate vendors to deliver on their security, quality, and compliance commitments • Maintain proper change control procedures throughout the system life cycle

Horizons Fall 2017 21 © Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited. Approaches to Cybersecurity

The Importance of Knowledge 5220.22-M, National Industrial Security in a Changing Landscape Program Operating Manual.12 In the past, HTM professionals were not • Alert recall policy. Discusses the timely required to learn about cybersecurity or work removal, service, quarantine, or replacement in the information system security domain. of medical device products and supplies due That has changed in the past few years. to an FDA or manufacturer recall or alert. HTM professionals are now asked to learn The same is followed for advisories networking and cybersecurity concepts and to that are posted on Industrial Control Systems apply them when managing healthcare tech- Cyber Emergency Response Team or shared nologies. To keep up with this changing through National Health Information Sharing landscape, HTM leadership should make sure and Analysis Center alerts and Medical their staff are versed in networking and Device Innovation, Safety, and Security cybersecurity concepts. This includes working Consortium councils. knowledge of the Health Insurance Portability and Accountability Act privacy and security Effective Risk Management rule,10 networks and servers, security controls and Mitigation from the National Institute of Standards and For hospitals that use TJC accreditation for Technology (NIST), implementation of network deemed status purposes, EC.02.04.01, EP2 segmentation, scanning of medical devices on provides guidance on managing risks associ- the network, and so on. ated with medical equipment. It is necessary to Security concepts should be introduced to maintain a written inventory of all medical HTM professionals and clinical caregivers in the devices. As specified in EC.02.04.03, EP1, the following policies, procedures, and processes: hospital should perform safety, operational, and HTM professionals • Medical equipment inventory policy. Gives functional checks before initial use of the should be trained to a high-level view of the inventory process, medical device. HTM departments should use obtain the IT/network documentation of equipment records in the this standard as an opportunity to modify their computerized maintenance management inventory policy and inspection procedure, train information from system (CMMS), maintenance strategies for their technicians and engineers to document the medical devices. equipment regardless of its ownership , the IT- and network-related information in the This information and collection and documentation of network CMMS, and perform checks to ensure adequate should be documented information. security controls are in place. in the CMMS. • Medical equipment inspection procedure. A basic course in cybersecurity is a good Describes the process for proper receipt place to start. HTM professionals should and inspection of medical equipment prior familiarize themselves with IT’s service to initial use. It also outlines the receipt of management and cybersecurity management cybersecurity documentation and completion processes. They should be familiar with the of a cybersecurity risk assessment before the organizational structure within IT and the go-to initial use. people for medical device integration, • Medical equipment maintenance procedure. biomedical-device interface support, cybersecu- Discusses when and how major inspection rity, identity and access management, and the and preventive maintenance (IPM) on medi- security operations center. If the organization cal and participant equipment is performed lacks an on-site IT team, then HTM should still and documented. This procedure also dis- become familiar with whom they should work cusses the inclusion of cybersecurity controls on IT-related issues. in the IPM protocol based on the cyberse- HTM professionals should be trained to curity risk assessment, as mentioned in the obtain the IT/network information from the medical equipment inspection procedure. medical devices. This information should be • Medical equipment disposition procedure. documented in the CMMS: Explains how to properly dispose of medical • Underlying equipment. This procedure also stresses • Network capability (wired or wireless; if wire- the importance of media sanitization as less, include the type of wireless protocol) outlined in NIST 800-88, Guidelines for Media • Software and firmware version levels Sanitation,11 and Department of Defense • MAC (media access control) address

22 Horizons Fall 2017 © Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited. Approaches to Cybersecurity

• Host name risk assessments at a minimum should include • Internet Protocol (IP) configuration evaluation of the MDS2 (Manufacturer Disclo- • IP address for medical devices that are not sure Statement for Medical Device Security) mobile form. Quantitative and qualitative risk analyses • Device-associated IT components or parts should be performed to discover cybersecurity Documenting this information increases control gaps and to establish effective risk HTM’s visibility and knowledge of the devices mitigation or management plans. These plans Many HDOs and IDNs that are present in the health IT environment, do not alter the manufacturer-recommended use the Medical Device helps in the assessment of cybersecurity risks, maintenance or testing activities; instead, they Risk Assessment and helps bridge the gap among asset manage- are in place to enhance the safety and quality of ment, HTM, and IT. This information is useful the medical device. Platform to perform to various teams within IT, who can use it when The risk mitigation or management plan risk assessment on monitoring activity on the hospital network, should include five core activities: connected medical communicating with outside IPs, scanning 1. Identification of the risks. Risks are identi- devices. devices that are connected to the hospital fied by reviewing the cybersecurity network, and more. documentation provided by the medical EC.02.04.01, EP 3-7 and EC.02.04.03, EP 2-5 device manufacturer and the clinical provide guidance on identifying risks, activities, caregiver who is using the healthcare and frequencies to maintain, inspect, and test technology for patient care. Many HDOs and medical devices in the environment of care. In IDNs use the Medical Device Risk Assess- addition to classifying the risk inclusion factor ment Platform to perform risk assessment or asset criticality in the CMMS to be compliant on connected medical devices. The scoring with these standards, HTMs should include results from this assessment can be used for cybersecurity risk assessments when risk a deeper dive into the application and inclusion factor is evaluated. These cybersecurity management of controls.

Horizons Fall 2017 23 © Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited. Approaches to Cybersecurity

2. Application of common controls. Based on service contract if the device is being serviced the risk assessment and scoring results, by the MDM or ASP. In addition, HTM and IT cybersecurity and HTM teams can work with should plan a strategy with the MDM if a the MDMs to apply common security medical device is no longer supported or has controls as the medical device will support. been depreciated by the MDM or the creator of 3. Identification of control gaps.The risk the device’s software. assessment will identify the control EC.02.04.01, EP 9 mandates that hospitals gaps. These must be documented and maintain written procedures to follow when readily available for audit purposes. medical equipment fails. In addition to aspects 4. Application of compensating controls. For of clinical interventions and availability of medical device cybersecurity management, backup equipment, HTM teams should develop compensating controls need to be applied an incident response plan in the event of a without causing problems in clinical cyberattack on vulnerable medical devices in workflow. Organizations need to look at their inventory. The information systems alternatives if the controls are not supported department in a HDO or IDN must have an and/or if they obstruct the device’s intended information systems security incident response performance. Exception requests need to be procedure as required in 45 Code of Federal documented according to the organization’s Regulations 164.308, Administrative Safeguards.14 HTM and IT should cybersecurity management processes. That This procedure outlines how the HDO or IDN way, the controls in the medical device are responds to and tracks information security plan a strategy with evaluated on a routine basis. incidents appropriately and consistently to the medical device 5. Management of residual and uncontrolled mitigate harm and minimize future incidents. manufacturer if a risks. This should be a continuous process HTM professionals need to train with informa- medical device is no throughout the life cycle of the medical device. tion systems security personnel and also participate in table-top exercises. This will allow longer supported or Using an “All Hands on Deck” Approach HTM teams to be ready during such an incident. has been depreciated HTM and IT teams should work with the Medical device security plays a critical role by the manufacturer entities externally (e.g. the MDM or ASP) and during equipment planning. HTM and IT or the creator of the internally (e.g., supply chain, legal, clinical should be included during capital acquisition or device’s software. users, the business owner) to understand how capital review discussions. Devices running the medical device is used in a patient care software that is no longer supported or used setting. A multidisciplinary approach allows should be upgraded prior to the official end of HTM to evaluate all aspects that support safety, support of the software component. If the confidentiality, integrity, and availability of the medical device cannot be patched or updated to medical device. This is also very useful when remediate a known security vulnerability, HTM procurement decisions are being made and and IT should collect appropriate documenta- service agreements are being reviewed. If the tion from the MDM. Legal, IT, and compliance organization decides to go ahead with purchas- departments should review these instances and ing a new medical device with inadequate assess the potential risks. The document from security controls, these risk mitigation or the MDM should state the reasons why the management plans should be included as patch or update would invalidate the FDA additional checks during a maintenance approval(s) or cause patient safety concerns. procedure (scheduled and unscheduled). This information should then be recorded in In accordance with FDA guidance released the CMMS. This document must be readily on Dec. 28, 2016, Postmarket Management of available when reviewing exception requests Cybersecurity in Medical Devices, medical device and during equipment replacement planning. software, operating systems, and other compo- nents should receive cybersecurity updates and Protecting Data When Disposing patches in a timely manner.13 Appropriate patch of a Device management strategies should be discussed Effective disposal of medical devices ensures with the MDM or ASP, included as part of that patient data collected during the device’s maintenance procedures, and be a part of the life cycle remains confidential. This includes

24 Horizons Fall 2017 © Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited. Approaches to Cybersecurity securely wiping or destroying residual data on the medical device 5. Advisory Board. Post-Acute Care Cheat Sheet: Integrated Delivery prior to discarding, selling, or otherwise relinquishing physical Networks. Available at: www.advisory.com/research/post-acute-care- control of the device. Appropriate methods to sanitize the data collaborative/members/resources/cheat-sheets/integrated-delivery- should be outlined in a medical device disposition or decommis- networks. Accessed Sept. 28, 2017. sioning policy. This may include physical destruction of any 6. Healthcare Market. Why is the Integrated Delivery Network one of components that can store data or using of secure wipe tech- your keys to success in Healthcare? Available at: www.paho.org/blz/ 11 12 niques described in NIST 800-88 or DOD 5220.22M. HTM is index.php?option=com_docman&view=download&alias=206-why-is- responsible for collecting this documentation and recording it in integrated-delivery-networks-a-success&category_slug=technical- the CMMS. This applies even when devices are being transferred documentation&Itemid=250. Accessed Sept. 28, 2017. and moved between facilities and in and out of them for service operations at the MDM or ASP site. 7. Food and Drug Administration. What Is A Medical Device? All records of security controls, patch updates, and data December 28, 2015. Available at: www.fda.gov/aboutfda/transparency/ destruction should be recorded for audit purposes. The appropri- basics/ucm211822.htm ate length of log retention is defined in the medical device 8. Association for the Advancement of Medical Instrumentation. disposition or decommissioning policy. Logs must be kept and HTM: A Critical Role in Healthcare Delivery. Available at: should contain the following, at a minimum: http://s3.amazonaws.com/rdcms-aami/files/production/public/ • Medical device asset identifier FileDownloads/HTM/AAMI_HTM_GENERAL_low.pdf. • Date of secure wipe Accessed Sept. 28, 2017. • Name of technician or engineer (or MDM or ASP) performing 9. The Joint Commission. Comprehensive Accreditation Manual for the data destruction Hospitals: Environment of Care. January 2017. Available at: • Reason for data destruction www.jcrinc.com/2017-comprehensive-accreditation-manuals/2017- • Method of data destruction comprehensive-accreditation-manual-for-hospitals-camh-. • Outcome of data destruction and/or the disposition process Accessed Sept. 28, 2017. The WannaCry and Petya ransomware attacks, among others, have increased attention for ensuring that connected medical 10. Department of Health & Human Services. The Security Rule. devices are secure. With the advances in technology and advent Available at: www.hhs.gov/hipaa/for-professionals/security/index.html. of electronic health records (EHRs), medical devices no longer Accessed Sept. 28, 2017. exist in a vacuum. Increased EHR adoption by providers, a need 11. NIST 800-88. Guidelines for Media Sanitation. Gaithersburg, MD: for integration, and connectivity tools to improve clinical National Institute of Standards and Technology; 2006. workflow, patient care solutions, and overall hospital operations will continue to drive rapid growth in the connected medical 12. DOD 5220.22M. National Industrial Security Program Operating device market. Going forward, the call will only get louder for Manual. Washington, DC: Department of Defense; 2006. HDOs and MDMs to upgrade their health IT infrastructure and 13. Department of Health & Human Services. Postmarket Management of improve their design and development methodologies. HTM Cybersecurity in Medical Devices. Silver Spring, MD: Food and Drug will play a critical role in this cybersecurity future. n Administration; 2016.

References 14. Department of Health & Human Services. 45 CFR 164.308. Available at: www.gpo.gov/fdsys/pkg/CFR-2009-title45-vol1/pdf/ 1. Ponemon Institute. Medical Device Security: An Industry Under CFR-2009-title45-vol1-sec164-308.pdf. Accessed Sept. 28, 2017. Attack and Unprepared to Defend. Available at: www.synopsys.com/ content/dam/synopsys/sig-assets/reports/medical-device-security- ponemon-synopsys.pdf. Accessed Sept. 28, 2017.

2. Larson S. Why Hospitals Are So Vulnerable to Ransomware Attacks. Available at: http://money.cnn.com/2017/05/16/technology/hospitals- vulnerable-wannacry-ransomware/index.html. Accessed Sept. 28, 2017.

3. Kaspersky Lab Daily. New Petya/NotPetya/ExPetr Ransomware Outbreak. Available at: www.kaspersky.com/blog/new-ransomware- epidemics/17314. Accessed Sept. 28, 2017.

4. KEMP Application Delivery. Health Delivery Organization (HDO). Available at: https://kemptechnologies.com/glossary/health-delivery- organization-hdo. Acessed Sept 28, 2017.

Horizons Fall 2017 25