David Braeutigam: Cybersecurity Is the New Electrical Safety Concern for HTM

In the March 1971 issue of Good Housekeeping, Ralph Nader wrote an article about the risk of electrical shock caused by medical equipment in hospitals. Our industry responded by testing medical equipment for leakage current by the biomedical equipment engineers and the clinical engineers at their hospitals. It also created an industry of medical equipment test instrumentation. The medical industry responded by creating better designed equipment with low leakage current.

Initially, our industry was required to test medical equipment for leakage current twice a year per the Joint Commission (TJC) and the Centers for Medicare and Medicaid Services (CMS). As medical equipment manufacturers designed better equipment to minimize the risk of electrical shock, TJC and CMS relaxed their testing requirements, first to one a year and then finally to a risk-based system.

Frank Painter recently mentioned in an Alternative Equipment Maintenance (AEM) seminar that the now-adopted 2012 National Fire Protection Association safety codes allow you to no longer routinely test for electrical safety except during incoming inspections or after major repairs. We have come full cycle on the concern over electrical safety. The medical equipment industry responded.

But now we are seeing a new issue that has replaced the old electrical safety concern of the past several decades—cybersecurity. This is a relatively new concern, since most medical equipment was not designed to be placed on a hospital enterprise network. Some medical equipment over the past 20 years was designed to work on a network, but that network was segmented and did not communicate over the hospital enterprise network. Now we are seeing more and more equipment attached to the hospital enterprise network, where it is vulnerable to cybersecurity threats.

Cybersecurity_Graph

Remember the classes we took when you were preparing for the healthcare technology management (HTM) field? One of those classes was anatomy and physiology. We took this class to understand how medical equipment interfaces and works with patients. We also took the class to help us speak the language of the doctors and nurses we would work with.

Today, to speak the “anatomy and physiology” of information technology (IT), we need to be taught a new language. We need to understand how the medical equipment interfaces with the IT infrastructure just like we did when we learned how it interfaced with patients. We need to understand the risk to our patients just as we did with electrical safety.

This new concern has created new opportunities for the HTM industry. The cybersecurity industry has responded by expanding its knowledge into the medical equipment field. Scores of new companies have been formed to help with this issue. I’m sure you’ve have seen them at an AAMI or MDExpo conference recently. Medical equipment manufacturers are starting to respond by designing their new medical equipment with cybersecurity in mind.

The HTM industry also needs to respond by learning the language of IT and understanding how to protect our patients against cybersecurity risks.

Ironically, the goal of our industry has not changed. Our industry was designed to protect the patient against risk. First it was electrical shock and now it is cybersecurity. What are you and your hospital doing to be prepared for this?

David Braeutigam, MBA, CHTM, CBET, is president of Braeutigam Enterprises LLC in Arlington, TX, and a member of AAMI’s Technology Management Council.

7 thoughts on “David Braeutigam: Cybersecurity Is the New Electrical Safety Concern for HTM

  1. David, Well said and spot on! Collaborating with IT and other stakeholders within and outside the organization is key to mitigate the risks of cyber threats. In my new role at CHOP, we are part of the Information Services department which brings many benefits and added resources to our field and help us continue to have visibility. I do agree that it is a learning curve for us as a field. Salim

  2. I wonder if cyber security of medical equipment will ever actually become primarily the domain of HTM. Today there is a vacuum of expertise and it is possible that IT department-based cybersecurity teams will simply expand their role to include medical equipment. “They” may ask us to participate but it may end up being their show… not that there is anything wrong with that. Either way, I agree learning the language is useful.

    • Our HTM Director met this head-on and developed a new role within HTM known as Medical Systems Security Professional. I currently inhabit this role as of 11/2017. I have a background of a biomed and IT and as of 12/2018 also have my CISSP. My director thought it would be better for the organization to get out in front of the medical device security concerns and help work with our Information Security(IS) partners in Information Technology(IT). So far the role has been widely accepted and welcomed by the IS/IT departments as traditionally (at least in our organization) IS/IT didn’t know much from a medical systems perspective. There was a huge learning curve from my perspective as i knew little to nothing about IS. The key has been collaboration between our teams.

    • We are already seeing this happen since IT folks are seen as easily adaptable to new learning environments and cultures as compared to the HTM teams. There are Information Security engineers that are learning HTM workflows and workings but do collaborate with HTM staff to better serve cybersecurity concerns. It’s good to see teams not working in silos anymore, but also brings up a concern where leaders are worried about another department taking up the effort as their show.

  3. An interesting perspective… Add one more facet of “old” learning: electrical safety begins with the safety of a facility’s electrical systems. Vulnerability of networked medical devices also depends in large part on the vulnerability of a health system’s network infrastructure. Device makers’s risk management is being driven to assume that their customers are not up to the job of securing their own device networks and will leave their products exposed to the Internet. Hackers seem to have decided that hacking patient care devices is their new “blood sport.” In that “world”, a clear and vibrant partnership between device makers and their customers would lower overall complexity and help keep everyone significantly safer.

    Dennis Schneider

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s