Journey to Trust

Safety Effectiveness and Security Programs

for Medical Devices and Systems
Scripps Health San Diego, CA
Scot Copeland, BSITSEC, MCP, Sec+
Medical IT Network Risk Manager

Interoperability
Maturity

Networked Clinical Technology

Management Maturity

Framework for Achieving Trust

TRUST

Hospitals / Care Providers

Wireless device and system vendors
Wireless infrastructure vendors
Government ( FCC/ FDA)

All Stakeholders

Health
Technology Management
Framework of Policies, Processes,
Tooling and Guidance

Safe

Effective

Freedom from
Clinical & Business
unacceptable risk of
Functions /
harm / unintended
Essential Performance
consequences

Tooling to support design,

acquisition, configuration
and performance monitoring
Standards / guidance/
best practices

Secure
Confidentiality,
Integrity
Availability &
Accountability

Medical IT
network risk
management

Information Exchange and Use

Interoperability

Infrastructure

Connectivity

Adapted from Center for Medical

Interoperability (C4MI) 2015

Recognition of Medical Device

Security Needs

Early Adoption
HIPAA = privacy and security
Clinical System Specialists Role
Security Patch Management
Infosec PMs
Medical Device networking properties in CMMS
Involvement with I.T. Change Management
Ad Hoc risk reviews
Infusion pump implementation
risk from WEP encryption
Secure disposal of devices capable of storing ePHI

2007 Internal Audit

2007 Internal Audit Findings

Technical
Medical Device/System security not addressed before installation
Server Back-up Restore
Security Patches/Updates
Configuration/Hardening
Access control/Privileges
Physical Security
IP Addresses not documented
MDS2 not received
Not all Medical Devices/Systems tracked in CMMS
Organizational
C.I.A. related roles not documented in job descriptions
Business Associate Agreements not centralized
Those responsible for security were silod from other functions

Medical Device Information

Security Committee
Members:
Biomedical
Engineering
Audit and Compliance
Information Services
Clinical Risk
Management

Medical Device Information

Security Committee
Sub-committee of the Information Security Steering
Committee
FY 2015 Objectives - Medical Devices and Systems

Complete a Risk Assessment of Critical Medical Device Types

Complete a Gap Analysis of Medical Device Policies and Standards
Establish a vulnerability management strategy and priorities
Ensure validated Medical Device OS updates and patches are up to
date
Complete a Medical Device/System Firewall installation and
configuration
Develop an ongoing education and awareness strategy for users
and maintainers of medical devices

Interoperability
Maturity

Networked Clinical Technology

Management Maturity

Framework for Achieving Trust

TRUST

Hospitals / Care Providers

Wireless device and system vendors
Wireless infrastructure vendors
Government ( FCC/ FDA)

All Stakeholders

Health
Technology Management
Framework of Policies, Processes,
Tooling and Guidance

Safe

Effective

Freedom from
Clinical & Business
unacceptable risk of
Functions /
harm / unintended
Essential Performance
consequences

Tooling to support design,

acquisition, configuration
and performance monitoring
Standards / guidance/
best practices

Secure
Confidentiality,
Integrity
Availability &
Accountability

Medical IT
network risk
management

Information Exchange and Use

Interoperability

Infrastructure

Connectivity

Adapted from Center for Medical

Interoperability (C4MI) 2015

Implementation of
ISO/IEC 80001
Introductory training
Readiness assessment
Interviews and questions for
key stakeholders
Information services
Audit and Compliance
Clinical Risk
Management
Biomedical Engineering
15 action items
Build on practices
already in place

ISO/IEC 80001-2-7 Selfassessment Process Model

Responsible
Organisation

Medical
Device
Manufacturer

Risk Management Processes:

PLAN

Providers of
Other IT
Technology

Risk Management Policy Processes

Risk Management Policy

Medical IT Network Risk Management Planning Processes

Medical IT Network Planning
Medical IT Network Documentation

DO

Medical IT Network Risk

Management Processes

Responsibility Agreements
Organisational Risk
Management

Change Release Management

& Configuration Management

Medical IT Network Risk Management

M
Risk Analysis & Evaluation
Risk Control
Residual Risk

Change Release & Configuration

Management
Decision on how to apply Risk
Management
Go Live

Live Network Risk Management Processes

Monitoring
Event Management

CHECK

ACT

Key Organizational
Improvements
Medical I.T. Network Risk Manager Role
Developed Job Description based on Safety Officer, Risk and
Project Managers
Modified several existing policies regarding:
I.T. Risk Management Program
I.T. Project Approval and Management
I.T. Change Management
Information Security Program
Information Technology Vendor Selection and Management

More Organizational
Improvements
Involvement with I.T. Committees and functions:
ITRM
ISC
Policy and Standards Committee
I.T. Due Diligence (Capital Projects)
I.T. Change Management
Developed tools for operationalizing risk management processes
People - advocates for Medical IT Network risk management
Checklists
Templates
Risk Management Plans
Risk register

Wireless Monitoring Risk Analysis

Meeting to brainstorm hazards

Clinical users
Clinical Risk Mangers
Biomedical Engineering
IT

Assign severity, probability scores and

calculate risk level
What risks will be reduced or accepted?
Ongoing monitoring of risk controls

Lessons Learned
Telemetry Monitoring System failures due to
Cybersecurity Vulnerability scanning
Over 200 patients on 5 systems unmonitored for 30
minutes, some over 3 hours
Loss clinical monitoring and diagnostic data
Near Miss Potentially reportable event
Potential STEMI and TRAUMA Bypass/Community
Healthcare Implications
Disruption of patient throughput
Clinical Staff turn to back-up procedures
Patients not receiving routine care activities

Telemetry Monitoring System

failure:
What would 80001 Impact?
Configuration management / know different
challenges with medical device technology
Medical device vulnerabilities understood
Medical I.T. Risk Manager would have an integral
role
Broader organizational coordination (only IT /
vendor / info sec & audit / compliance were engaged)

Wireless Monitoring Failure due

to Network Upgrade activities
Over 50 patients unmonitored or in local mode for 30
minutes, some over 4 hours
Lost clinical monitoring and diagnostic data
Near miss potentially reportable event,
Potential STEMI and TRAUMA Bypass/Community
Healthcare Implications
Disruption of patient throughput
Clinical Staff downtime procedures 4 pts/RN X 30 to
3 hrs = 6-36 hrs lost patient care time.
o Patients not receiving routine care activities

Wireless Monitoring Failure due to

Network Upgrade activities
What would 80001 Impact?
Configuration management would have
understood what was live and what was not
Medical I.T. Risk Manager would have an integral
role
Medical I.T. Network Risk Management Plan would
have covered these activities / risks would have been
anticipated and properly addressed

Next Steps
Hire Medical IT Network Risk Manager
Risk Assessment on firewall installation for
medical device with published
administrative passwords
Development of responsibility agreement
in consultation with key vendors

Thank you
Scot Copeland
Copeland.scot@scrippshealth.org