The Need for IoMT Asset Management

By Michael Sardaryzadeh, Information Security Officer, Texas A&M University

Michael Sardaryzadeh, Information Security Officer, Texas A&M University

Often, I am asked what the most basic and important item in cybersecurity is; my answer is always asset management. Whether it’s understanding where an organization’s regulated data resides, what assets an organization has, or keeping track of all the IoT in an organization, ”asset management” is the foundation on which all cyber activity begins to form in an enterprise. I tell folks, “remember, no data, no assets, no cybersecurity.” When it comes to Medical IoT a comprehensive medical device asset management system enables any healthcare organization to 1) secure medical devices from cyberattacks, 2) meet federal and state regulatory and privacy requirements, and 3) properly monitor and maintain the effectiveness of medical devices.

"A comprehensive medical device management system documents the entity’s devices, their operational status, the interconnectivity, the device’s location, and can be used to ensure that devices—and the data on them—are secured"

In health delivery organizations (HDOs), there is often a gap between information technology (IT), information security (IS), operational technology (biomedical or clinical engineering department), and the manufacturer’s intended level of support for the product. IT is concerned with medical device connectivity and uptime, IS approaches medical devices as a possible cybersecurity problem, operational technology is focused on functionality and usage of medical devices, and manufacturers of medical devices look for increased sales opportunities and customer satisfaction. There is, however, an intersection where the needs of all the aforementioned do meet. This intersection is the need for visibility. Visibility is when IT, IS, operational technology, and the manufacturer have the ability to easily detect a medical device, know its location, its status, and relationship to other devices on the network. A comprehensive asset management solution for medical devices satisfies cybersecurity issues, regulatory concerns, and functionality and operational needs, and reveals the interconnectivity of medical devices with other systems.

Visibility is key to effective operations and security. Being blind to medical devices on the network or not understanding the interconnectivity of medical devices and other systems on the network makes it almost impossible to protect and hard to manage medical devices. An HDO must first and foremost identify all devices it owns, operates, and connects to its network.

The World Health Organization (WHO) defines medical device inventory as, “a detailed itemized list of assets held by an organization or institution. To be worthwhile, an inventory must be continually maintained and updated to reflect the current status of each asset.” The WHO goes further in defining the contents of a medical device inventory: “A medical equipment inventory provides a technical assessment of the technology on hand, giving details of the type and quantity of equipment and the current operating status.”Categorizing medical devices is essential in medical device inventory or asset management. HDOs must categorize their medical devices by use, department, systems it connects to, and the data the device houses; this is crucial in understanding the interconnectivity of devices on a network or in an organization.

The Food and Drug Administration (FDA) has established the unique device identification (UDI) system to adequately identify medical devices sold in the United States from manufacturing through distribution to patient use. The purpose of the UDI final rule was to rapidly and definitively identify a device and key attributes that affect its safe and effective use; the rule will reduce medical errors that result from misidentification of a device or confusion concerning its appropriate use.”According to the Association for the Advancement of Medical Instrumentation, “As the cost and complexity of medical equipment increase, healthcare technology professionals find themselves more and more in need of tools to track inventory maintenance and location.”

Compliance with the HIPAA Security Rule is the overarching regulatory responsibility for HDOs. Regardless of size, all HDOs must comply with all published HIPAA controls. Failure to comply with HIPAA regulations can result in substantial fines being issued and criminal charges and civil action lawsuits being filed should a breach of ePHI occur.

Although the HIPAA Security Rule requires an asset inventory for compliance, keeping track of all medical devices helps HDOs avoid violations and fines. A comprehensive list of all assets including medical devices allows HDOs to ensure only authorized individuals have access to ePHI and that proper safeguards are in place. Identifying, properly classifying, monitoring, and protecting the device is the HDO’s responsibility. In addition to protecting the device, the HDO must protect any other system on the same network as the devices containing ePHI. To do this, the asset management system used by a covered entity or business associate must state which devices house ePHI, even if ePHI is temporarily housed on the device. HIPAA does require an inventory of all hardware to be maintained, together with a record of the movements of each item. The WHO also views medical device inventory as the foundation needed to organize an effective healthcare technology management (HTM) department and reiterates the need for a real-time inventory in general.

The HDO also needs a comprehensive inventory to match the operational requirements—procurement, budgeting, actual use, and need to protect devices. The HDO must know the types of devices in use, operating systems on each device, real-time device location, and who is using the device at any given time. With that data in the asset management system, the devices can be reviewed for vulnerabilities and vulnerability scans, patched timely as a comprehensive asset management system would indicate when patches are due, and obtain any updates from the vendors. Additionally, a comprehensive asset management system documents the activity of decommissioned devices. A comprehensive inventory includes local and wireless connections, connections to any remote servers, interconnectivity to EHR and any other electronic records, and who accesses the data. The ‘connectivity ecosystem’ encompasses the device and all the elements used to transmit monitored data.

A comprehensive medical device management system documents the entity’s devices, their operational status, the interconnectivity, the device’s location, and can be used to ensure that devices—and the data on them—are secured. In reality, any vendor who wants to solve this problem must have a winning combination of extensive healthcare experience, Information technology experience, and cybersecurity experience as that is key to building and offering the healthcare industry a successful solution. The good news is that startups like Culinda understand the need for this mixture in their product team, fully recognize the problem set, and have begun tackling this problem.

Read Also

The Security Assurance Threat

The Security Assurance Threat

Dan Polly, Director, Enterprise Information Security at First Financial Bank
The Threat in Your Pocket

The Threat in Your Pocket

Veysel Erdag, Chief Information Security Officer at University of Arkansas at Little Rock
Implementing Software-Defined Everything in the Data Center

Implementing Software-Defined Everything in the Data Center

Jim Livingston, CTO, University of Utah Health
BYOD: How to Safeguard Your Company's Data with Policies and Procedures That Address Visual Security Threats

BYOD: How to Safeguard Your Company's Data with Policies and Procedures That Address Visual Security Threats

Rebecca Herold, President of SIMBUS LLC, CEO of the Privacy Professor and 3M Privacy Consultant

Weekly Brief