Connected medical devices provide health systems with multiple benefits, but these connected devices can also expose health systems to a host of cybersecurity-related risks.
To better understand these risks and how health systems can leverage clinical asset informatics to address vulnerabilities, Becker’s Hospital Review spoke with two leaders from TRIMEDX about the value of clinical asset informatics:
• Scott Trevino, senior vice president, product management and solutions
• Betsy Wormet, vice president of product marketing
The rise and risks of connected devices in health systems
Increasingly, many of the medical devices used by hospitals and alternate sites of care are connected medical devices. These include connected MRIs, X-ray machines, CT scanners, monitoring and lab equipment and more.
However, when medical devices are connected to the internet via the hospital’s network, vulnerabilities can be exploited by hackers, putting these devices and their data at risk. “If a health system experiences a data breach,” Ms. Wormet said, “the average cost to the health system is about $7.1 million.” She also said that health systems typically don’t even realize that their devices have vulnerabilities.“ It’s upwards of 228 days until the average health system even knows it has a vulnerability, and in some instances, this can stretch to over 300 days. If a breach does occur, a remediation can take another 80 to 100 days. You’re talking almost a full calendar year to identify a vulnerability and remediate it.1”
In this era of connected medical devices, health systems need better, faster ways to identify vulnerabilities and mitigate their data security risks.
How clinical asset informatics helps hospitals decrease their cybersecurity risk
Access to a clinical asset informatics platform increases inventory visibility, understanding what devices you have and where, and makes it is easier to monitor the usage of connected devices. This information can also help you monitor which equipment is underor overutilized, and to allocate resources more effectively. “Having this type of information allows us to help our clients make the best possible decisions about equipment,” Mr. Trevino said. Robust data on the medical device inventory coupled with real-time monitoring of connected devices make it possible to detect if maintenance is required before a problem arises.
TRIMEDX’s data-enabled clinical asset informatics platform provides health systems with complete visibility into all devices including what are connected and future connectable devices across the entire ecosystem. The process begins with an inventory of all devices on a network — including their make, model, location, operating system and more. “Most health systems do not know what’s currently on their network (connected) or what can potentially get on their network (connectable),” Mr. Trevino said, “so getting the profile of these devices is absolutely critical.”
By leveraging the latest technology, establishing an accurate medical device inventory provides the opportunity to continuously monitor these devices, see how they are behaving and perform objective risk assessments on devices to identify potential vulnerabilities. “We provide real-time monitoring to identify anomalous behavior and known vulnerabilities,” Ms. Wormet said.
This monitoring, Mr. Trevino explained, includes monitoring the device and the hospital network to detect anomalous device behavior. TRIMEDX also monitors activity “in the wild”, continuously scanning over 40 sources of vulnerability intelligence, to keep close track of industrywide security vulnerabilities. In addition, the company has a heavily trained, expert team that works closely with equipment manufacturers and hospital clients. This team supports their clients by quickly identifying cybersecurity vulnerabilities and performing remediation activities such as patch management or operating system upgrades.
“Every month, we see on average about eight new cyber vulnerabilities,” Ms. Wormet said. “Those eight cyber vulnerabilities result in over 4,000 associated monthly work orders.” She continued, “It starts a closed-loop process of exposing the vulnerability, identifying impacted devices, all the way through remediation.”
“If we can even cut down the amount of time to identify a vulnerability, if a breach were to occur, from about 228 days to 200 days, on average a hospital would save about $2 million,” Ms. Wormet said.
Additional benefits of clinical asset informatics
Increased cybersecurity is one critical benefit of a clinical asset informatics platform. The other two aspects are clinical engineering, and clinical asset lifecycle management.
• Clinical engineering is what has been traditionally viewed as medical device servicing. It involves preventive maintenance, unplanned repairs and servicing and all regulatory aspects that come with running a comprehensive health technology management program at a hospital.
• Clinical asset lifecycle management involves using data to optimize capital equipment investments and identify opportunities for improvement by deciding what new equipment to replace, upgrade, disposition or reallocate to an alternate site of care.
“We look at those three components — cybersecurity, clinical engineering, and lifecycle management — as being critical to strategically optimize your medical device inventory,” Ms. Wormet said. “Our clinical asset informatics platform is a sophisticated analytics and visualization tool for our clients to monitor their progress around [all three components].”
Through the TRIMEDX clinical asset informatics platform, clients realize the benefits of evidence-based insights and prescriptive analytics that guide them toward actions that reduce their organizational risk.
1Report. Cost of a Data Breach Report 2020, IBM, 2020, capita.com/ sites/g/files/nginej291/files/2020-08/Ponemon-Global-Cost-of-DataBreach-Study-2020.pdf