Pat Baird and Erin Sparnon: When It Comes to Cybersecurity, You Can’t Do It Alone

You oughta see the view from my silo!

During this summer’s AAMI 2017 Conference & Expo, we were excited to again be the facilitators for the session, Top 10 Issues Facing HTM. Every year, we pose questions to the audience regarding emerging HTM issues, and the audience members share their experiences and practices. And, every year, it takes less than three minutes for the awkward silence and avoidance of eye contact to break forth into success stories, tales of woe, and even the occasional round of applause for a particularly good idea.

It should be no surprise that one of most energetic topics this year was cybersecurity. Attendees brought up vulnerabilities, exploits, pen testing, the challenges of caregivers connecting their BYOD (bring your own device) devices on the hospital networks, and the near-impossibility of keeping current with the latest updates and patches for the vast diversity of medical devices that are found in a typical hospital.

In conversations that we’ve had with vendors, healthcare delivery organizations (HDOs), and cybersecurity experts outside of our session, we find that these are all very common topics—the technical and logistical challenges associated with healthcare cybersecurity. However, a unique theme emerged during this HTM conversation, one which we haven’t heard many people talk about: cybersecurity preparations are forcing different stakeholders to talk to each other.

Security is not an attribute that can be assigned to one piece of equipment or one piece of software, or ensured by one group working in isolation. One mantra in product development is that security isn’t something that can be bolted on like a feature; it is something that has to be built into the architecture of the device. Similarly, HDO security isn’t something that can be hired as a service. It has to be built into the architecture of the HDO and faithfully implemented with each newly added piece of equipment.

We’ve already seen some traction in the realm of patient safety. Most readers would agree that patient safety isn’t just the responsibility of the hospital’s risk manager. No, to improve safety you have to look at the entire ecosystem of care. Like patient safety, security requires a wide-angle view. However, the cybersecurity ecosystem is much larger, extending to departments that never interact with patients.

Your IT department alone can’t do security.

Your HTM department alone can’t do security.

The vendors alone (or even in aggregate) can’t do security.

You need everyone.

It used to be that each tribe would work alone, in isolation, concentrating on the demands of our regular jobs, and only interacting briefly with other groups before we went back to our desks and workbenches. Although it wasn’t optimal, it was good enough for us to get our jobs done. That has all changed. Silos don’t work anymore.

It’s common knowledge that poor communication adversely affects organizational performance. The Project Management Institute published a report in 2013, The High Cost of Low Performance: The Essential Role of Communications, which showed that 56% of project risk is due to ineffective communication. Similarly, the 2010 study Adapting Corporate Strategy to the Changing Economy by Forbes found that nine out of 10 CEOs believe that communication is critical to success of their strategic initiatives.

But cybersecurity has taken things a bit further than other challenges. We’ve learned that nothing is ever really “secure-secure” once it’s networked (or even graced with a USB drive). Our primary defense is rapid response, and that doesn’t happen without good communication.

When we talk about good communication, we aren’t talking about reading the latest email about a phishing scam. We aren’t talking about making sure you change your password every 90 days. We are talking about fostering true cooperation across organizational boundaries.

How do we do this?

  1. Talk to people that you rarely talk to, and learn their language well enough to articulate your concerns. If an urgent issue comes up, are you really going to tell the head of oncology that “XYZ version 2.3 suffers from a remote SQL injection vulnerability”?
  2. Grow your network of contacts both inside and outside of your organization. Even though we know that every care area in every facility has its own unique culture and work practices that resist our best efforts at making national standardized anything (we’re looking at you, infusion pump drug libraries!), we’ve observed that just about everyone has medical devices, computers, servers and networks, and at least a few departments to manage them. Reach out through professional societies, email the writer of the last paper you really liked, or just start a conversation with the next IT person you stand next to in the lunch line.
  3. Make organizational decisions that support connectedness. Back in 2003, before the rise of social media, Albert-Laszlo Barabasi authored an excellent book Linked: How Everything Is Connected to Everything Else and What It Means. (Pat used this book to build very successful teams. Each team member was the primary liaison to other teams, so everyone was active, everyone was engaged, and they always had an expert inside of the team that could provide more details when needed. No one person could manage a network that large and still get regular work done, but by splitting the connections and remaining in constant contact, team members acted as a bridge between two very large networks.)
  4. Be generous with your own contacts. The next time you have to punt to an expert to answer a question for a colleague, consider starting a dialogue between the questioner and the expert instead of just forwarding on the answer. Knowing the people who can answer the question can be even more valuable than the answer itself—and you’ll gain a reputation as a connector.

Give these a try, and let us know how it goes. We love the feedback!

Pat Baird is head of global software standards at Philips in Pleasant Prairie, WI. He is a member of the Editorial Board for AAMI’s journal, BI&T.

Erin Sparnon is engineering manager at ECRI Institute in Plymouth Meeting, PA.

3 thoughts on “Pat Baird and Erin Sparnon: When It Comes to Cybersecurity, You Can’t Do It Alone

  1. A lot of the communication advice in the post can be applied to most of what we do in healthcare.

    As a biomed, when I do a PM on a medical device that also contains a host PC I do a “cybersecurity check-up” on the PC (as well as blow the dust out of the CPU radiator and fans and power supply). Given the almost nuclear damage a cyberattack can do to a healthcare enterprise, what biomed would want their initials to be see seen on a PM sticker that was on a device that was found to be a gateway for an attack? If a connected medical device was implicated as vector, who would burn for it? So at this point, can any PC in a medical application be called “low risk” any longer?

    I have read a lot of big-picture chatter about cybersecurity, but not a lot of advice for those of us down here in the trenches.

    I am a big believer in plain English PM checklists. What items would be on your PM checklist for a medical systems with a connected host PC?

  2. Is it reasonable to ask, “Does the value of this being connected offset the risk of it being connected?” Or do only old men ask that question?

    • Hear, hear. We should always look at the assumptions, in this case the assumption of network connectivity. There are several ways to connect and/or aggregate the data from the devices—the assumption that it must be done through the shared network with its bi-directional exposure should be one that is challenged when appropriate.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s