5. ACCE Symposium Copeland 2015
-
Upload
yospeace86 -
Category
Documents
-
view
223 -
download
0
description
Transcript of 5. ACCE Symposium Copeland 2015
Journey to TrustSafety Effectiveness and Security Programs
for Medical Devices and Systems
Scripps Health San Diego, CA
Scot Copeland, BSITSEC, MCP, Sec+
Medical IT Network Risk Manager
Framework for Achieving Trust
Adapted from Center for Medical
Interoperability (C4MI) 2015
Information Exchange and Use
SafeFreedom from
unacceptable risk of
harm / unintended
consequences
Effective
Clinical & Business
Functions /
Essential Performance
SecureConfidentiality,
Integrity
Availability &
Accountability
TRUSTAll Stakeholders
Health
Technology ManagementFramework of Policies, Processes,
Tooling and Guidance
Ne
two
rke
d C
lin
ical
Tec
hn
olo
gy
Man
ag
em
en
t M
atu
rity
Connectivity
Interoperability
Tooling to support design,
acquisition, configuration
and performance monitoring
Standards / guidance/
best practices
Hospitals / Care Providers
Wireless device and system vendors
Wireless infrastructure vendors
Government ( FCC/ FDA)
InfrastructureInte
rop
era
bilit
y
Matu
rity
Medical IT
network risk
management
Recognition of Medical Device
Security Needs
Early Adoption
• HIPAA = privacy and security
• Clinical System Specialists Role
• Security Patch Management
– “Infosec” PM’s
• Medical Device networking properties in CMMS
• Involvement with I.T. Change Management
• Ad Hoc risk reviews
– Infusion pump implementation
• risk from WEP encryption
• Secure disposal of devices capable of storing ePHI
2007 Internal Audit
2007 Internal Audit Findings
• Technical
• Medical Device/System security not addressed before installation
• Server Back-up Restore
• Security Patches/Updates
• Configuration/Hardening
• Access control/Privileges
• Physical Security
• IP Addresses not documented
• MDS2 not received
• Not all Medical Devices/Systems tracked in CMMS
• Organizational• C.I.A. related roles not documented in job descriptions• Business Associate Agreements not centralized• Those responsible for security were “silo’d” from other functions
Medical Device Information
Security Committee
• Members:
– Biomedical
Engineering
– Audit and Compliance
– Information Services
– Clinical Risk
Management
Medical Device Information
Security Committee
• Sub-committee of the Information Security Steering
Committee
• FY 2015 Objectives - Medical Devices and Systems
– Complete a Risk Assessment of Critical Medical Device Types
– Complete a Gap Analysis of Medical Device Policies and Standards
– Establish a vulnerability management strategy and priorities
– Ensure validated Medical Device OS updates and patches are up to
date
– Complete a Medical Device/System Firewall installation and
configuration
– Develop an ongoing education and awareness strategy for users
and maintainers of medical devices
Framework for Achieving Trust
Adapted from Center for Medical
Interoperability (C4MI) 2015
Information Exchange and Use
SafeFreedom from
unacceptable risk of
harm / unintended
consequences
Effective
Clinical & Business
Functions /
Essential Performance
SecureConfidentiality,
Integrity
Availability &
Accountability
TRUSTAll Stakeholders
Health
Technology ManagementFramework of Policies, Processes,
Tooling and Guidance
Ne
two
rke
d C
lin
ical
Tec
hn
olo
gy
Man
ag
em
en
t M
atu
rity
Connectivity
Interoperability
Tooling to support design,
acquisition, configuration
and performance monitoring
Standards / guidance/
best practices
Hospitals / Care Providers
Wireless device and system vendors
Wireless infrastructure vendors
Government ( FCC/ FDA)
InfrastructureInte
rop
era
bilit
y
Matu
rity
Medical IT
network risk
management
Implementation of
ISO/IEC 80001
• Introductory training
• Readiness assessment
• Interviews and questions for
key stakeholders
• Information services
• Audit and Compliance
• Clinical Risk
Management
• Biomedical Engineering
– 15 action items
• Build on practices
already in place
ISO/IEC 80001-2-7 Self-
assessment Process ModelRisk Management Processes:
ResponsibleOrganisation
Medical Device
Manufacturer
Providers ofOther IT
Technology
Risk Management Policy ProcessesRisk Management Policy
PLAN
Medical IT Network Risk Management Planning ProcessesMedical IT Network Planning Responsibility Agreements
Medical IT Network Documentation Organisational Risk Management
CHECK
M
Medical IT Network Risk Management Processes
Medical IT Network Risk ManagementRisk Analysis & EvaluationRisk Control Residual Risk
Change Release Management & Configuration ManagementChange Release & Configuration ManagementDecision on how to apply Risk Management
Go Live
Live Network Risk Management ProcessesMonitoring Event Management
DO ACT
Key Organizational
Improvements
• Medical I.T. Network Risk Manager Role
• Developed Job Description based on Safety Officer, Risk and
Project Managers
• Modified several existing policies regarding:
• I.T. Risk Management Program
• I.T. Project Approval and Management
• I.T. Change Management
• Information Security Program
• Information Technology Vendor Selection and Management
More Organizational
Improvements
• Involvement with I.T. Committees and functions:
• ITRM
• ISC
• Policy and Standards Committee
• I.T. Due Diligence (Capital Projects)
• I.T. Change Management
• Developed tools for operationalizing risk management processes
• People - advocates for Medical IT Network risk management
• Checklists
• Templates
• Risk Management Plans
• Risk register
Wireless Monitoring Risk Analysis
• Meeting to brainstorm hazards– Clinical users
– Clinical Risk Mangers
– Biomedical Engineering
– IT
• Assign severity, probability scores and calculate risk level
• What risks will be reduced or accepted?
• Ongoing monitoring of risk controls
Lessons Learned
Telemetry Monitoring System failures due to Cybersecurity Vulnerability scanning
• Over 200 patients on 5 systems unmonitored for 30 minutes, some over 3 hours
• Loss clinical monitoring and diagnostic data
• Near Miss Potentially reportable event
• Potential STEMI and TRAUMA Bypass/Community Healthcare Implications
• Disruption of patient throughput
• Clinical Staff turn to back-up procedures
• Patients not receiving routine care activities
Telemetry Monitoring System
failure:
What would 80001 Impact?
• Configuration management / know different
challenges with medical device technology
• Medical device vulnerabilities understood
• Medical I.T. Risk Manager would have an integral
role
• Broader organizational coordination (only IT /
vendor / info sec & audit / compliance were engaged)
Wireless Monitoring Failure due
to Network Upgrade activities
• Over 50 patients unmonitored or in local mode for 30 minutes, some over 4 hours
• Lost clinical monitoring and diagnostic data
• Near miss potentially reportable event,
• Potential STEMI and TRAUMA Bypass/Community Healthcare Implications
• Disruption of patient throughput
• Clinical Staff downtime procedures 4 pts/RN X 30’ to 3 hrs = 6-36 hrs lost patient care time.
oPatients not receiving routine care activities
Wireless Monitoring Failure due to
Network Upgrade activities
What would 80001 Impact?
• Configuration management – would have
understood what was live and what was not
• Medical I.T. Risk Manager would have an integral
role
• Medical I.T. Network Risk Management Plan would
have covered these activities / risks would have been
anticipated and properly addressed
Next Steps
• Hire Medical IT Network Risk Manager
• Risk Assessment on firewall installation for
medical device with published
administrative passwords
• Development of responsibility agreement
in consultation with key vendors