Prioritizing Healthcare Cybersecurity: Enabling Patient Safety with Protected Medical Devices

February 13, 2024

PART 2

BD recently collaborated with members of the College of Healthcare Information Management Executives (CHIME) on a webinar to discuss emerging cybersecurity risks. Panelists Kathryn Flores, AVP and CIO at UT Southwestern and Matthew Modica, CISM, CISO at BJC HealthCare, discussed cybersecurity issues related to product lifecycle management.

How do you work with internal stakeholders to remove legacy technologies from your ecosystem?

Strong life cycle management allows organizations to strategically replace legacy technologies, which can pose cybersecurity risks, especially after they are no longer receiving security updates. “For departments that are resistant to changing their old devices, we have to remove them from the network because they are high risk,” said Flores. “We also educate leadership that a continuous investment in the fleet of technology is necessary to mitigate organizational-wide risks, and coordinate with vendors to make the transition from old to new as seamless as possible,” said Modica.

Do you use standards in the procurement process or other stages of the life cycle?

Both organizations require the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to be included in all RFPs and legal agreements, especially as much of the data includes patients’ personal health information (PHI). Additionally, Health Industry Cybersecurity Practices (HICP), which are part of the Cybersecurity Act of 2015 (CSA), and internal policies are put into place to ensure that best practices are followed over the life cycle. The health information technology landscape continues to evolve, and these resources provide valuable information for organizations of all sizes.

What should vendors be doing when it comes to updating products?

“I would recommend options for software configurations, as there are many levers to use that can go ultra secure or ultra-wide open, followed by customer education on how they work,” said Modica. “If a vendor no longer offers a particular lever because it’s too risky, then the organization can decide whether or not to use it based on its risk tolerance.”  Flores added, “We rely on vendors to bring this type of information to our attention, especially during purchasing conversations, to help us make an informed decision.” During the procurement process, having a formal security score to assess risk is a key criteria for decision making, as is focusing on clinical outcomes and finding the right tool for the right task.