Case Study: Team Approach for Medical Device CybersecurityBaptist Health Care's Phillips and Williams Describe 'Delicate Balance' Strategy
Effectively managing the cybersecurity of the thousands of medical devices in hospital settings takes a highly collaborative approach and "delicate balance" between IT security leaders, biomedical staff and others, say Baptist Health Care's CISO, Thad Philips, and the senior manager of the biomedical program, Tony Williams.
At Pensacola, Florida-based Baptist Health Care, the collaborative approach not only includes Baptist Health's IT security and biomed departments, but also involves input from the organization's legal, compliance and clinical teams, Phillips notes in an interview with Information Security Media Group.
Implementing a successful medical device cybersecurity approach starts from "the bare-bones basics," including the difficult, but vital, task of identifying all medical devices in the institution and knowing how many there are, he says.
"Our bigger discussion is life cycle management of all things, but in this case, medical device security," Phillips says.
"When you dig down into the process is when everything begins popping out. … You get the buckets [of device types] identified, and from there is when you can see what's happening in your environment and begin to tackle that."
Baptist Health is dealing with about 8,000 medical devices, including 2,000 network-connected devices at its several care facilities, Williams says in the same interview.
"Some are on a segregated network; some talk to the electronic medical records," he notes.
"The biggest challenge in biomed is gathering the data that Thad [IT security], legal and their teams require," he says. That's made more complicated because many on the biomedical team do not view a medical device as a computer with an operating system, William notes.
"And on the opposite side, IT security will see a medical device just as a computer … and the biomed team will say, 'It's a medical device - you can’t just patch it because you'll break the device," he says.
"It's finding the delicate balance between the two spheres of medical device ownership … and making sure they work together," Williams says.
"First and foremost, [a medical device] is performing some kind of care or diagnostic test for a human being. … We generate revenue off it and make clinical decisions with it," he adds.
"So, we have to get the two teams playing together. Sometimes, patches or updates can interfere with the medical devices' functionality … and the end user doesn't know it's running Windows," he says.
"They just see that it's a mammography machine, for instance, and they don't want to mess with those settings, configurations and algorithms," Williams says.
All these and other complex considerations for different medical device types - including legacy gear with old operating systems - and the various risks presented by each can become a very difficult challenges to navigate, Phillips notes.
"But knowing your inventory, identifying your pain points and starting your mitigation strategy on how to fix [cybersecurity risk concerns] will at least get you into the game," he says.
In the interview, Phillips and Williams also discuss:
- Medical device vendor risk management concerns;
- Critical considerations for assessing and measuring medical device security risk;
- Advice for other healthcare entities.
Phillips has more than 20 years of experience in healthcare IT security. He is enterprise CISO at Baptist Health Care, which includes three hospitals, four medical parks, a behavioral health network and an institute for orthopedics and sports medicine. He is also an adjunct faculty member at Tulane University and the University of Alabama at Birmingham.
Williams, senior manager of the biomed program at Baptist Health Care, began his biomed career in the U.S. Air Force. He has over 30 years of experience in the field of biomedical engineering work at several device firms, including GE Healthcare.