Methodist Hospital of Southern California has an infrastructure in place to safeguard against malware and data breaches
These days, rare is the medical device or piece of equipment that doesn’t have some kind of chip or computer in it. “You may think you’re buying a scope, but you don’t understand you’re also buying a computer with it,” says Tamara Murphy, director, materials management, Methodist Hospital of Southern California, Arcadia, Calif.
In fact, somewhere around 60 percent of the medical equipment in today’s hospitals are networked, says Anthony Coronado, manager of biomedical engineering, Methodist. That means around 60 percent of medical equipment is vulnerable to hackers and malware.
Contracting executives such as Murphy are in a unique position to help control cyber-malfeasance and cyber slip-ups (such as accidental breaches in patient confidentiality). But they can’t do that without developing a close working relationship with their colleagues in IT and biomedical engineering. That’s the model used by Methodist Hospital of Southern California.
And it is a model that was recognized in September, when ECRI Institute named Methodist Hospital as the winner of ECRI’s 8th Annual Health Devices Achievement Award. Methodist Hospital’s winning submission, Redefining Medical Equipment Management and Giving a Solution to Vulnerabilities from New Medical Device Technology, describes its development of a new integrated systems management program that identifies equipment vulnerabilities related to patient safety, information availability, and cybersecurity resulting from the introduction of advanced and increasingly complex medical devices in the healthcare setting.
Healthcare providers have been on a fast track toward automation for the past 10 years, says Kara Marx, vice president, chief information officer. “It has been a pretty steep climb, and that has affected all areas of the hospital – medical equipment, electronic medical records, diagnostic equipment – the whole gamut.” So steep, in fact, that technology has outpaced the ability of many organizations to get their policies and procedures in place.
“Our goal is to be agile and nimble enough to recognize that our investment in the technology that provides excellent care brings with it a risk, and we need an infrastructure in place to safeguard against it.” Materials management is an integral part of that infrastructure.
“When I asked Anthony [Coronado], ‘How can we make sure things don’t get in the organization that we don’t know about?’ it became pretty obvious we needed to partner with purchasing and materials throughout the procurement process,” says Marx. “So we went to Tammy. She’s the conductor. And we made a commitment to challenge our vendors and educate our users around the program we’ve built.”
“If [a piece of equipment or a device] has a monitor, protected health information can get in it,” says Murphy. “As materials management professionals, we don’t necessarily know whether it’s storing that data and whether it can be accessed. That’s why it’s critical for us to work with IT to make sure anything we bring in is protected.”
In fact, the materials management team follows a simple rule of thumb, she says: “If it plugs into a wall, we need to talk to IT.” When possible, Murphy and her team facilitate a discussion between IT and the vendor’s technical experts.
Biomedical engineering is an important part of the process. Coronado developed a checklist of 57 questions – many of them about cybersecurity, updates and software patches – that prospective vendors must answer.
Vendors, for the most part, are ready to help. “They’re all open to it,” says Marx. “When you talk about the scenarios that can happen, they can’t acknowledge that the risk isn’t out there. The more they interact with organizations such as ours around security, the smarter they get. I think providers are educating them.”
Materials management executives have always preached the virtues of standardization, often for economic reasons. But standardizing on equipment and devices can advance the goal of cybersecurity as well, says Murphy. “When you work with multiple vendors and different devices, you start to have more problems,” she says. “We try to maintain consistency, so we’re protected as a facility throughout.”
Methodist Hospital monitors equipment that is rented, leased or brought in for a specific procedure as well, adds Murphy.
How about the clinicians?
The effort to ensure cybersecurity doesn’t end with acquisition. “Tammy and I do a lot on the front end,” says Marx. “Anthony is instrumental in doing the maintenance and the updates after that. It’s one thing to have a strong security program in place before you purchase a device or piece of equipment, but as quickly as technology changes, there also are updates and patches” to keep up with.
“We have implemented a systems-management approach, [in which we] tie in all the vendors, go through all the equipment and identify all the vulnerabilities,” says Coronado. “We’re constantly monitoring equipment, double-checking with manufacturers and seeing when updates are due.”
Regardless of how carefully materials management, IT and biomedical engineering have screened incoming equipment and devices, and no matter how vigilantly they maintain updates and software patches, security can be compromised when those devices are on the floors, in use by clinicians. That’s where the rubber meets the road.
Getting clinicians to understand there are computers in many of the devices and equipment they use – and that it must be accounted for from an inventory perspective – is a challenge, says Marx. Another challenge: impressing on all staff the potential dangers of plugging outside equipment and devices into the hospital’s network.
“Organizationally, it’s our responsibility to create a security-aware culture,” says Marx. “We have to make people aware of privacy and security in all aspects of the organization.” Clinicians need to be reminded to exercise caution when handling paper-based documents, she says. But the stakes are raised when electronics are brought into the picture.
“We educate people that even the copy machine might have a computer chip in it – and could have patient information stored on it,” she says. “And even if the IV pump doesn’t look like it has a computer chip in it, it could be storing patient information. There are numerous areas that people don’t think about. And if you don’t have that awareness that computers are everywhere, you can create a breach.”
The trick is to elevate clinicians’ sensitivity to cybersecurity without overburdening them. “Sometimes, technology can push clinicians away from doing what they’re here to do. We want technology to enhance the experience of the patient. It’s our job to make sure it’s doing that.”
Ensuring cybersecurity means extra time, work and effort, says Marx. Perhaps it means an extra hour or two on the contracting/negotiating end. “We’re absorbing this into what we’re already doing.
“Technology improves the end user’s experience, but there’s an infrastructure that has to be created. You have to take [cybersecurity] seriously, and organizations have to recognize they’ll need to put additional resources on it.”