As the ‘headlights’ of the organization, supply chain can play a role in protecting patients and healthcare facilities.
Matthew Werder puts it this way: “You are no longer buying a ‘toaster’ when it comes to medical devices and clinical equipment. Rather, you are buying into a complex technology ecosystem. Medical devices are no longer merely plugged in to be operational; they are now integrated into a complex technology web, interfaced with an EMR, accessible by mobile devices, and engineered to receive remote vendor support.”
Turns out that very strength is also a weakness – vulnerability to cybercriminals.
Werder served as director of supply chain management and contracting at Hennepin Healthcare, which operates Hennepin County Medical Center, a Level 1 trauma and academic medial center in Minneapolis, Minnesota, prior to being named chief technology officer in November 2013.
His point is that the standalone medical device is becoming a rarity. Today’s imaging equipment, vital signs monitor, ventilator or chemistry analyzer – not to mention the smartphone, PC, laptop, tablet, or computer on the desk of everybody in your facility – is more likely to be connected to a network or to the internet. As such, each is susceptible and vulnerable to cyber criminals, opportunists and even those who want to physically harm people.
In January 2017, for example, the U.S. Food and Drug Administration issued a Safety Communication regarding the St. Jude Medical (now Abbott) radio-frequency-enabled implantable cardiac device and Merlin@home transmitter. “If exploited, [the vulnerabilities] could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home transmitter,” said the FDA.
The WannaCry ransomware attack in May 2017 crippled hundreds of thousands of computers in 150 countries in one day – many operating the unsupported Microsoft XP operating system – and almost shut down the National Health Service in the United Kingdom. In June, a Petya malware variant – referred to as NotPetya – infected organizations in several sectors, including finance, transportation, energy, commercial facilities and healthcare.
As the “headlights” of the health system when it comes to acquiring devices and equipment, supply chain can play a role in helping protect the health system from cyberattacks, says Werder. But they don’t have to do it alone. Rather, they can – and must – work with clinicians, IT, biomed, even legal, to do so.
The Journal of Healthcare Contracting: How and why did you make the jump from supply chain to technology?
Matthew Werder: Four years ago, Hennepin County Medical Center was restructuring its IT and analytics functions. Our organization is committed to being a data-driven healthcare system. To facilitate the vision, we combined the IT/EMR and analytics function under a chief analytics officer and installed a chief technology officer – someone who was knowledgeable, first and foremost, about the business of healthcare, and who could develop close working relationships with others, such as information technology.
It has been a steep learning curve, but I have come to the conclusion that IT and supply chain are virtually siblings. Many of the issues I faced in supply chain also exist in IT. Many times our biggest challenges aren’t technical, but rather, a result of a misunderstanding in a complex system. And supply chain and IT both rely heavily on people and vendor partners to get our jobs done.
JHC: What is the healthcare IT professional’s worst cybersecurity-related nightmare?
Werder: Human error and the uninformed user, as well as the failure to respond quickly or appropriately to an incident. We have seen that the smallest and simplest things can lead to large data breaches. A simple delay, error, or slowness to respond can result in a crisis.
JHC: When it comes to cybersecurity, which is the weaker link – medical devices themselves, or the network to which they are connected?
Werder: It’s both. Some vulnerabilities reside within the device itself, some in the networks in which they operate. The problem is how we’ve evolved. Many medical devices were never intended to be connected to an EMR, to other applications or databases, to the internet. Connectivity, and its security implications, were rarely in the initial designs.
It’s an industry dilemma; there’s no panacea. The weakest link in the healthcare IT ecosystem makes our entire system vulnerable.
JHC: How does a user recognize that an incident has, indeed, occurred?
Werder: A lot of it is learned behavior and awareness. Someone gets an email (the most common vector by which we get attacked) and clicks on a link or opens a file. At Hennepin Healthcare, as at many health facilities, staff can forward suspicious or questionable emails to our phishing email inbox. Our security team assesses the email, determines if a threat exists, and responds. Certainly the user should question anything that shows up on their screen that they did not expect.
JHC: How can healthcare facilities start to address cybersecurity?
Werder: Through planning and education, organizations can begin to identify and understand their own vulnerabilities and risk tolerances. Too often, we hope for the best and prepare for the worst. But the approach to protecting the organization has to be more methodical, and not a witch hunt. We must be both reactive and proactive; focus on the basics and build on your successes. When bad things happen, learn from them. Assess and determine if additional protections are necessary or if there’s a breakdown in processes.
At the top of the NIST Cybersecurity Framework are five basic functions of cybersecurity activities: 1) Identify the risks in your organization; 2) implement protective measures, including training; 3) detect anomalies and events; 4) develop a response plan; and 5) develop a recovery plan.
JHC: It has been said that providers should inventory all devices/equipment vulnerable to cybercrime, noting their software versions, network settings and networks to which they are connected. What do you think?
Werder: Absolutely. At Hennepin Healthcare, we are planning to integrate our medical devices inventory into our IT asset management system, alongside our PCs, software, servers, and network equipment. Our clinical equipment management system meets the standards of Joint Commission, yet it still lacks the depth of information we need to better understand the equipment and its relationship within our technology ecosystem.
JHC: How can supply chain help protect against cybercriminals?
Werder: When supply chain processes a request for any type of equipment/device and software, they need to ask, “Does this device involve software and does it connect to our network?” If so, they should get IT involved. And if hospital staff uses P-Cards to purchase software or equipment, the facility should have appropriate controls in place to vet those purchases.
Our information security architect, Dustin Meadows, adds this advice for supply chain executives: “Education, education, education. Get involved. Sign up for the IAmTheCavalry (www.iamthecavalry.org) mailings. Ask questions. Challenge the norms. Think like a bad guy, or know a bad guy and ask him/her how he/she would think. Any security guy who feels he’s too good to answer a question about security is not a security guy, period. That’s the sentiment the security community lives by.”
Supply chain also should consider incorporating these discussions into the value analysis process for new supplies/devices moving forward.
Maintaining an accurate inventory of all the PCs in the facility – from “birth to death” – is important. And when a shipment of PCs is received, supply chain needs to validate that those PCs are, in fact, what were ordered. Supply chain also needs to make sure they are delivered to a secure location.
JHC: Can you offer any examples of contract provisions or language that supply chain should routinely include in contracts?
Werder: Supply chain should insist that the vendor agree to keep its systems and software current, and that it will follow industry standards and best practices when providing security patches and other types of updates. Ensure they understand the FDA’s stance on patching networked medical devices (https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm).
Limited liability insurance will ensure that the vendor shares the responsibility in the event of a cyberattack or data breach.
JHC: I have seen the term “Manufacturer Disclosure Systems for Medical Device Security,” referring to a document issued by the medical device manufacturer to address the cyber-risks associated with its device(s). Can you explain the MDS2?
Werder: The MDS2 form provides medical device manufacturers with a means for disclosing to healthcare providers the security-related features of the medical devices they manufacture. It can be used as a tool in an organization’s risk assessment process by providing healthcare entities with the information they need to assess the vulnerabilities and risks associated with protecting the health information created, received, transmitted or maintained by medical devices. The MDS2 form was originally developed by the Healthcare Information and Management Systems Society and the American College of Clinical Engineering (ACCE), and then standardized through a joint effort between HIMSS and the National Electrical Manufacturers Association.
JHC: For what types of equipment or devices should providers insist on getting an MDS2 form?
Werder: This is still new, and we haven’t arrived at a routine process yet. But for now, I would make sure to get an MDS2 form for equipment the Joint Commission would consider critical to the support of life. Should we get a form for an oral temperature probe? Maybe not. But for an anesthesia machine, defibrillator or ventilator? Yes. Next, get an MDS2form for anything that is going to be connected to the electronic medical record or any other clinical application that is continually used in the delivery of care.
JHC: Who should be responsible for reviewing the MDS2 forms, to ensure they are complete? Should supply chain get involved? And if so, in what capacity?
Werder: Again, we’re in a new era here. The convergence of technology, data and medical equipment is bringing together some groups that traditionally had a transactional relationship only. But today, an ongoing relationship is imperative. So, supply chain, clinical engineering, IT, the compliance team, privacy officer, even legal counsel should be involved. In time, we’ll figure out who has the ownership in this. But for now, supply chain is in the front seat in terms of collecting the information and disseminating it to shareholders.
JHC: In its report, 2017 Cyber Healthcare & Life Sciences Survey the advisory firm KPMG LLP says, “For every step forward organizations take, cyber-criminals are progressing right alongside them with ever more aggressive means of system infiltration and data theft.” Sounds hopeless. Is it?
Werder: It can feel that way at times. But thanks to the work of groups like IAmTheCavalry, and folks like [cybersecurity experts] Barnaby Jack, Jay Radcliffe and Billy Rios, awareness and research into medical device security is becoming more mainstream. Organizations are continuously and diligently implementing solutions that minimize our greatest risks and threats. No budget can completely mitigate or dissolve all cybersecurity risks; we are all human. What we can do is educate employees and partners, ensure good technology hygiene, master the basics of information security, and implement tools and policies that maximize the greatest benefit.
The National Health Information Sharing & Analysis Center, or NH-ISAC (https://nhisac.org) offers non-profit and for-profit healthcare stakeholders a community and forum for sharing cyber and physical security threat indicators, best practices and mitigation strategies. Members include private and public hospitals, ambulatory providers, health insurance payers, pharmaceutical/biotech manufacturers, laboratory, diagnostic, medical device manufacturers, medical schools and medical R&D organizations.
The Medical Device Innovation, Safety & Security Consortium, or MDISS (https://www.mdiss.org) is a 501(c)3 non-profit public health and patient safety organization focused on medical device cybersecurity. MDISS helps member organizations develop practical technologies, practices and policy solutions for making devices safer and more secure.
Center for Internet Security, or CIS, (https://www.cisecurity.org) is a non-profit entity whose mission is to harness the power of a global IT community to safeguard private and public organizations against cyber threats. Its CIS Controls and CIS Benchmarks are continuously refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®).
I Am The Cavalry (www.iamthecavalry.org) is a grassroots organization that is focused on areas where computer security intersects public safety and human life. It focuses on four areas: medical devices, automobiles, home electronics and public infrastructure.
Supply chain meets cybersecurity
Following passage of the Cybersecurity Act of 2015 in December 2015, a 21-member task force developed recommendations on cyber attacks targeting healthcare. One of the task force’s “imperatives” is the following: “Increase the security and resilience of medical devices and health IT.” A few recommendations within that imperative hit supply chain close to home. Some examples.
- Know what you have. Health delivery organizations should: 1) inventory their clinical environments and document unsupported operating systems, devices, and EHR systems; 2) replace or upgrade systems with supported alternatives that have superior security controls where possible; 3) develop and document retirement timelines where devices cannot yet be replaced; and 4) leverage segmentation, isolation, hardening, and other compensating risk reduction strategies for the remainder of their use.
- Insist on real-time updates and patches. For devices that still receive support from the device manufacturer and/or application vendor, providers should insist on real-time updates and patches (e.g., to the operating system), as well as make compensating controls available to end users. Organizations should also have a policy/plan in place to be able to receive and implement available updates.
- Get rid of your clunkers. Government and industry should develop incentives to phase out legacy and insecure healthcare technologies. (Remember “Cash for clunkers?”)
- Get a “bill of materials.” Transparency regarding third-party software components is a must. Technology vendors should include a “bill of materials,” so providers can understand what they have on their systems before determining whether these technologies are impacted by a given threat or vulnerability.
- Don’t just ditch it. Manufacturers should provide documentation on secure preparation for recycling and disposal of medical devices. Ideally these instructions would include how to scrub any personally identifiable information, personal health information, or other site-specific, sensitive data.
- Use better passwords. Providers should install strong authentication procedures to improve identity and access management for healthcare workers, patients, and medical devices/EHRs. Clinicians in a hospital setting typically access multiple computers and digital devices (up to 70 times per shift), gaining access through personal passwords. But this widely used, single-factor approach is particularly prone to cyber attack, as such passwords can be weak, stolen, and are vulnerable to external phishing attacks, malware, and social engineering threats. The National Institute of Standards and Technology (NIST) suggests alternatives to the use of passwords for user authentication, including items in the user’s possession (e.g., a proximity card or token) or biometrics.
Source: Health Care Industry Cybersecurity Task Force, June 2017, https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf