1

PARTNERING FOR MEDICAL DEVICE SECURITY AND PATIENT SAFETY

Session 272; March 8, 2018

Lisa Grisim, VP & ACIO; Auston Davis, CISO; Ilir Kullolli, Director, Clinical Technology

Stanford Children’s Health

2

Lisa Grisim, RN, MSN

Auston Davis, MS, CISM

Ilir Kullolli, MS

Has no real or apparent conflicts of interest to report

Conflict of Interest

3

Agenda• History of Clinical Technology at Stanford Children’s

• IS & Clinical Technology Partnership & Management Approach

• State of Biomedical Security

• Clinical Technology Approach

4

Learning Objectives• Describe how to better strategize and organize for device security

management

• Discuss how to formulate and structure policies to drive success

• Identify and organize a pathway for device integration and security

5

Stanford Children’s Health

• Stanford Children’s Health (SCH) is the only medical network in the area, & the country, exclusively dedicated to pediatric & obstetric care.

• Network of more than 1,000 physicians across 60 locations.

• At the heart of our healthcare system is Lucile Packard Children’s Hospital Stanford, which is internationally recognized for advancing leadership & innovation with family-centered care of newborns, children, & expectant mothers.

6

Awards & Recognition

Davies Award

7

History of Clinical Technology at SCH

• Shared service between

Stanford Health Care &

Stanford Children’s

Health

• Reported through

General Services

Re-Organization

• Reporting structure

changed report through

the IS dept.

Children’s Dedicated

• Assessment completed in

look at impact of splitting

the dept. between the 2

hospitals

• Decision made to

separate

Reporting Change

• Department reporting

structure within IS

transitioned from CTO

to ACIO

Shared Service

Future

2005 2012 2015 2016

8

Stanford Children’s Health

Understand

Department Operations

Educate on

Appropriate Use of ITSurface Trends &

Upcoming IT Needs

Identify New

Opportunities

IS Service Leader Clinical Technology Engineer

IS & Clinical Technology Partnership

• Coverage in all key areas in the organization

• Coordinated Gemba rounds

• Build a rapport & trusted relationship

9

IS Management Approach • Weekly Leadership Gemba Rounds

• Visibility wall walk- 1 hr.

• Ad hoc huddles- 30 mins.

• Service Leaders meeting- 30 mins.

• Daily Tiered Huddles (8a to 10a)

1. Managers with Staff

2. Directors with Managers

3. VP with Directors

4. Executive team with VPs/Admin. Directors

10

State of Biomedical Security

Dependency

Patient care is now more

dependent on technology

than ever

Connectivity

Devices are becoming

more connected

Exploitability

Tools to compromise and

harm systems are readily

available and cheap (free)

Security

Firewalls and Anti-Virus

are not enough

11

Shift in Blame

2012Feb

2018

“The FDA won’t let

me fix it”

- Every Biomed Vendor

2016

“Vendors don’t create secure

biomedical devices”

- FDA + Every Biomed Engineer

“No one is enforcing safe

biomedical devices”

- Every Security Professional

12

Current Challenges

Vendors do not have any real incentive to

produce secure biomedical equipment

Limited Incentive

Vulnerable legacy systems still need to be

utilized since there is no suitable

replacement

Legacy

Vendors are only required to report

vulnerabilities in their devices under limited

circumstances

Reporting

13

There is Hope

Level of Security

Post-Market

Labeling

ISAC/ISAOs

Information

Sharing

Innovating Security

Finding

Security

Solutions

Guidelines & Framework

FDA

Guidance

Vendors are being

encouraged to use labels

to signify its level of

security compliance

Information sharing

amongst the ISACs and

ISAOs is on the rise

Security professionals

are architecting solutions

to address some issues

FDA is providing guidance

& suggested framework to

vendors & security teams

14

Clinical Technology Approach - Phases

• Must have a seat at the table during negotiations with vendors

• Ensure that Device Security is part of the RFP Document

• Must Obtain MDS2 Documents

• Require vendors to provide equipment that can be patched for the life of the equipment

• Create process to assess risk

• Work collaboratively with IS Security to determine device profile

• Deploy device

• Perform inventory assessment

• Assess all Biomedical Device/System applications

• Classify them by risk

• Remediate devices at risk

• Ensure no loss of data, minimize downtimes, and no patient harms result from this

Planning/

RFP

Intake

Current

Inventory

15

Old Biomed Network

• Separate Network

• Expensive to Maintain

• Hard to Support & keep up to date

• Outside of “Normal” Clinical Engineering responsibilities

• No Change Control process

• *Harder to be hacked into

16

New - Converged Network

• Same network as IS

• Cheaper to maintain

• Easier to support & keep up to date

• Supported by Network Team & Server Team

• Change Control

• More issues due to network outages/updates

• Easier to address issues

17

RFP Process• Operating System/Service Pack

o Lifecycle Support

o Update/Upgrade Plans

• Database (if applicable)

• Ports/Protocols/Services used by device

• Antivirus/Antimalware & Physical Safeguards

• Internet Connectivity type needed (public?)

• Hardwired/Wireless network/Bluetooth

• System Architecture (if applicable)

• Encryption, Passwords & Audit Capabilities

18

Address Equipment at Intake

Trigger:

SC or designee

(at the dock)

receives

equipment &

enters receipt of

Equipment into

Peoplesoft

Start

Supply Chain or designee

identifies CTBE as the

responsible party and

notifies them to pick up

equipment

CMMS generates

an “Equipment Add

Form” for each

device received &

alerts the CTBE

Manager

CTBE BMET

Enters equipment

information with

PO Information in

CMMS

Does the

Device need IS

review

No

BMET contacts IS Security for Device

Review and submit any exceptions

necessary

Yes

Manufacturer

• MDS2 Forms

• CyberSecurity Program and Response

• Provide timely updates and patches

• Collaborate to address concerns

Clinical Technology

• Operating Systems

• ePHI Information

• Network Capabilities

• Applications

• Encryption

• Physical Security

Information Security

• Perform Risk Assessment

• Access to Information

• Ability to be hacked into

• Risks to Business

• Prioritize devices based on the assessment performed

• Apply Access Controls

19

Equipment Inventory• Perform Physical Inventory of Equipment

~ 20,000 Medical Devices in Inventory

~ 4,000 with Cyber Security implications:

o Contain ePHI

o Connect to the network

o Storage Capabilities

o Physically portable

o No security controls

o Are not encrypted

• Perform Vendor Assessment

Tier I – Highest Risk

ePHI, Portable,

Networked, Unencrypted,

Unpatchable Operating

System

Tier II

Networked, Encrypted,

ePHI, Portable,

Unpatchable

Tier III

Networked, Encrypted,

No ePHI, Portable,

Patchable

Tier IV – Lowest Risk

Stand-Alone, Encrypted,

No ePHI, Non-Portable,

Patchable

20

Addressing Security Risks

21

Addressing Security Risks – Real Example

Monitor

Activity for

rogue DNS &

DHCP servers

Segment

Ensure Medfusion network is

segmented from other hospital

& clinical IT infrastructure

BackupPassword

DeployFirewall

Apply proper password hygiene

standards across systems (i.e. use

upper/lowercase; special characters;

minimum character length of 8).

Take backups & perform

routine evaluations

Apply Access

Control – Cisco ISE

Test

Test the Solution Deploy the

Final Solution

22

Control Comm. Routes/Access Control• Implementation of Cisco ISE for All Networked Medical Equipment

o Real Time Monitoring of Traffic

o Network Intrusion Detection & Prevention

o Increase Network Visibility of Assets/Communication

o Limit communication routes (device to server; vice-versa) & build Device Specific Profiles

o Quickly disable a group of devices in case of an intrusion

o Protect the IS Network

o Enable a Safe Patient Care Environment

• VRF for all devices that cannot comply with Security Standards

23

Patches and Updates

Deploy

Patch/Update1

2

3 4

5

6

File Exclusions

Establish Intervals

Determine Availability Test Patches

Announce Patches

File exclusions for medical

devices that must not be

patched automatically

Define appropriate

patching intervals

Continuously check with

manufactures for patches

& updates

Communicate,

communicate, then

communicate some more…

Test impact to system

performance & operability

Change RequestSubmit & get Change

Request approved

24

Clinical Technology Approach Summary

Sustain the Process!!!

Medical Device Security is an afterthought when purchasing medical devices and systems

Involved in negotiations w/ vendors Device Security is part of RFP Require equipment that can be patched

Medical Device Functionality can be compromised by “over managing” security of devices (eg. Cisco ISE)

Assessment of devices Assessment of applications Classify by risk & remediateNo loss of data or pt. harm,

minimize downtimes

Non-Accurate Inventory doesn’t allow us to manage security for Medical Devices

Perform Inventory Collect Data Update Inventory Data ID equipment w/ highest risk

25

Questions

Lisa Grisim, RN, MSN

Vice President & Associate CIO

Stanford Children’s Health

lgrisim@stanfordchildrens.org

Ilir Kullolli, MS

Director, Clinical Technology &

Biomedical Engineering

Stanford Children’s Health

IKullolli@stanfordchildrens.org

Auston Davis, MS, CISM

Chief Information Security Officer

Stanford Children’s Health

audavis@stanfordchildrens.org

Please don’t forget to complete the online session evaluation…