Securing the Internet of Medical Things (IoMT) and connected devices poses ongoing challenges. Despite obstacles like in-depth scans and legacy software risks, Henry Ford Health’s Ali Youssef is hopeful due to increased manufacturer responsibility and FDA regulations. Upcoming discussions at the HIMSS Healthcare Cybersecurity Forum will address safeguarding connected hospitals. Experts from institutions like the Mayo Clinic will examine challenges in connected medical device development, deployment, and clinical integration. Youssef emphasizes collaboration between device manufacturers and healthcare organizations, underscoring the significance of clinician awareness and the need for regulatory advancements.
Securing the Internet of Medical Things (IoMT) and connected devices remains an ongoing and complex challenge. Despite hurdles such as deep scans and risks associated with legacy software, the director of medical device and IoT security at Henry Ford Health expresses optimism due to increased responsibility from device manufacturers and new regulations set by the FDA.
Scheduled for the HIMSS Healthcare Cybersecurity Forum in Boston next week, experts specializing in connected health, medical devices, the Internet of Things (IoT), and clinical engineering will convene to discuss “Safeguarding the Connected Hospital: IoT, IoMT, and OT.” Distinguished IT and information security leaders from institutions like the University of Pennsylvania, UVA Health, and Mayo Clinic will share insights on the persistent issues related to connected medical devices. This includes their development, deployment, and integration into clinical workflows.
The discussions will encompass the evolution of federal regulations, manufacturer responsibilities, and the role of healthcare providers in ensuring device safety. Ali Youssef, the director of medical device and IoT security at Henry Ford Health, is slated to participate in the panel discussion at HIMSS. We recently engaged in a conversation with him to gain his perspective on medical device security.
Q: Can you provide an overview of your IoMT and connected medical device program at Henry Ford Health? What is the program’s scope, deployed devices, and major challenges?
A: Our primary challenge involves understanding the distinct nature of these devices compared to standard IT assets and adopting a different approach to addressing them. While IT departments are adept at managing typical assets like servers and PCs, these methods don’t apply well to medical devices and IoT technologies.
Due to the sensitivity of these devices, invasive scans can interfere with their functionality. Unlike traditional IT assets, medical devices prioritize clinical efficacy and safety over security, a mindset that’s evolving. However, conducting invasive security scans could potentially disrupt a device’s core clinical operation.
Our initial step involved conducting a gap analysis, revealing the necessity for a dedicated medical device and IoT security management platform. This platform operates passively by capturing and analyzing traffic, avoiding invasive actions. Key aspects include inventory management, using a specialized tool for vulnerability detection, monitoring FDA recalls, and identifying abnormal traffic patterns. These measures are vital, as manual approaches are impractical given the volume of emerging vulnerabilities, often averaging around 50 per day.
Addressing emerging vulnerabilities and their relevance to our devices requires an automated solution. Our platform can determine the impact of a vulnerability and which devices are affected, enabling us to take immediate action. Such a tool is foundational in managing the security of these devices effectively.
Additionally, governance plays a critical role. Policies must be updated to reflect the unique nature of medical devices, particularly in terms of business continuity. Ensuring our staff understands how to respond if a device goes offline is vital. This extends to clinical engineering departments that historically focused on preventative maintenance but now require cross-training in IT and cybersecurity.
Q: What role do clinicians play in device security? How can they contribute to the overall security framework?
A: Clinicians have a significant role in device security, primarily through awareness and training. They need to recognize device malfunctions and have reporting mechanisms in place for such incidents. Furthermore, clinicians must understand the potential impacts of security issues on patient care and be prepared to adapt if necessary.
Electronic medical records (EMRs) are essential in this regard, but clinical teams should also be prepared to operate without them during cyber events. Incidents can disrupt electronic systems, requiring alternative protocols to ensure patient safety and care continuity.
Q: There’s been a push for manufacturers to enhance security features in their devices. Have you observed improvements in their response to this demand?
A: Manufacturers are making strides in improving security features, driven by increased FDA scrutiny and funding. However, some challenges remain. Legacy devices with long lifespans can continue to pose security risks, even with enhanced security practices during design and development.
While manufacturers play a vital role, the responsibility can’t be solely theirs. Health delivery organizations (HDOs) must also invest in mature medical device and IoT security programs, managing devices throughout their lifecycle. A partnership between manufacturers and HDOs is essential to ensure security across the board.
Q: What do you anticipate for the future in terms of regulations and emerging technologies?
A: A notable development I’m looking forward to is the Joint Commission mandating health delivery organizations to implement security programs for medical devices. Regulations should be more explicit in addressing cybersecurity concerns.
Looking ahead, I’m concerned about the unpredictability of AI algorithms once deployed. While manufacturers test scenarios, real-world situations can lead to unforeseen behaviors. Nevertheless, I’m optimistic about the progress being made, supported by initiatives from the White House and organizations like the FDA. Though the impact may take time, I believe the situation will improve over the next decade.
