Zach Collins: Stop Wasting so Much Time on Risk Analysis

Why are you wasting so much time figuring out how to get new medical equipment safely on the network? It really doesn’t make sense to reinvent the wheel over and over when you could be working with your peers in information technology and information security. What if I told you there was a better way?

At VA Heart of Texas Health Care Network, our teams have made some major improvements in how we approach risk analysis for networked medical equipment. To do that, our network of 16 medical centers developed a platform to better analyze risk and follow a workflow that enables our teams to work together for better reviews and faster approvals.

First, you have to understand that risk is an intrinsic element of the medical device or system. That risk will not change based on geographic location or installation. Think of it like a pickup truck—it will always have four wheels no matter where you drive it, what garage you park it in, or the type of loads you haul. Second, a critical element of improving risk analysis is to involve team members outside of your local operation.

For example, we send all of our risk analysis through regional information security and information technology reviewers. That’s like taking an open-book group test versus trying to calculate the vasculature response in the brain after experiencing a traumatic brain injury, all by yourself! If you sit down with the team and come up with some basic lists of what the risks are and make the conscious decision to analyze risk as just another troubleshooting exercise, then the process will become faster, more efficient, and ultimately exceptionally effective.

The most common risks you’ll find from medical equipment are the built-in conveniences, such as the hard-coded passwords often found in manuals that you can probably just find on Google. Another challenge we face is the inability to change or shut down communication pathways (e.g., FTP and HTTP) because that’s just how the equipment was engineered. A lot of medical equipment does not use a full-blown operating system, or it’s simply not capable of having security software installed. Sometimes, roadblocks are even built into the FDA clearance for the medical equipment! So, what do you do? There has to be a better way, right?

We have had to learn how to manage logical and physical risks without harming the medical equipment operation. I have to admit, we didn’t do that on our own. Thanks to a lot of input from some very smart biomedical engineers and technicians, we now follow a relatively standardized practice of communication isolation on the network that boxes in the equipment with VLAN’s and exceptionally strict access control lists (ACLs).

Using our resources across multiple healthcare systems strengthened our security approach to getting those ACLs written properly and efficiently as well as increased our ability to “double check” the various sales reps from the equipment manufacturers. Double checking is very important, as one team has been through the process from “A-to Z” and now you can start at “L, M, N, and O” by comparing and contrasting to an established control. Ultimately, we are learning in both directions that the first round may have missed a few things, the second added some on, and the rest of the iterations basically serve as positive affirmations that, yes, we got this one right.

So, stop wasting so much time on risk analysis and go big with your peers as well as your own understanding. Start with one category of equipment as an experiment and see if it improves the process as well as unearths any dangling risks that are waiting to blow up. Reinventing the wheel has been done way too many times and it’s just not worth spending time on. Biomedical engineering is one of the biggest innovation factors in the world of healthcare today. Go put that notion in action when it comes to networked medical equipment.

Zach Collins is a health technology manager at VISN 17, VA Heart of Texas Health Care Network.

Contributors:

  • Jane Lacson, chief biomedical engineer at VISN 16, Fayetteville, AR VA Medical Center
  • Stratton Brown, chief biomedical engineer at VISN 16, Jackson, MS VA Medical Center
  • Meaghen Krebsbach, chief biomedical engineer at VISN 19, Oklahoma City, OK VA Medical Center

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s