Managing the

Unknown
Industry experts share insights on countering
unknown risks to medical devices,
patients & their data.
Managing the
Unknown
Industry experts share insights on countering unknown risks
to medical devices, patients and their data.
eProtex asked industry experts with rich clinical, health technology and legal backgrounds to share their
expertise on what mineelds could impair patient safety and data, putting healthcare providers at greater risk for
breaches, federal violations and nancial loss. Heres what two of those experts had to say.
In the following interview, Dr. Alan Snell, former CMIO, and Jerey Short, a healthcare attorney, focus on medical
device risks that are easily missed, and easily catastrophic. More importantly, they oer guidance on what
healthcare leaders can do to ensure their patients, data, medical devices and clinical networks are safe and
compliant with federal mandates.
Meet The Experts:
Dr. Alan D. Snell, MD, MMM
Healthcare IT Consultant
Former CMIO, Midwest Hospital
Indianapolis, IN
Jerey W. Short
Attorney, Practice Group Leader,
Technology & Private Practice Group
Hall, Render, Killian, Health & Lyman, PC
Indianapolis, IN
Managing the Unknown eProtex.com. 2
As hospitals work to secure patient
data, what challenges are commonly
missed or mishandled?
Dr. Alan D. Snell
The challenges we hear about most are stolen laptops,
which are a lot of hassle and expense. One we dont hear
about is biomedical devices at the bedside. We often
dont realize those devices have software in them, which
can be infected by malware. This presents a grave risk to
patients.
As medical equipment becomes more digitized, it raises
the probability that data can be shared outside the
boundaries we put in place. Theres also malware, which
is being introduced into the applications we have.
Jerey W. Short
The real challenge is ensuring theres good data to
provide good care. Patients are using more and more
devices to send info back to caregivers and healthcare
facilities. Caregivers are using those devices too. The
more we do this, the more risk we face. Its imperative
for healthcare providers to protect their ePHI. Thats one
of the requirements to receive additional funding under
Medicare or Medicaid.
How big of a problem is this in todays
regulatory environment?
Jerey W. Short
In the past ve years weve seen the government grow
increasingly aggressive. We will continue to see this
simply because the approach taken with HIPAA was to set
a baseline and get providers thinking about it. Now were
at a point where theyre saying, Youve had 10+ years to
comply with this law; were going to start really enforcing.
In the past three to four years, weve seen seven-gure
nes for those who arent complying.
The problem is the unknown. Healthcare providers are
doing a good job protecting what they know. What they
dont know is where the risk lies. Some of the primary
blind spots are medical devices. What they do, how they
work, what data they contain. Currently, theres not a lot of
risk visibility into these devices.
Dr. Alan D. Snell
HIPAA regulations have been around for some time, and
those writing those policies are realizing theres an issue
with medical devices. When HIPAA rst came out, devices
werent an issue. Now that they are, regulators have
continued to update policies to make them more rigorous.
Healthcare organizations have had to change to adapt.
But the risks go beyond compliance. As smart medical
devices became more abundant and we add things
like smart pumps, its become obvious that viruses and
malware can get in these devices and cause potential
harm to the patient if they malfunction.
We often dont realize [medical] devices have
software in them, which can be infected by
malware. This presents a grave risk to patients.
- Dr. Alan D. Snell, MD
3
How prevalent are these risks?
Dr. Alan D. Snell
More than we want to admit. The challenge is we dont
know how high the danger is. When we consider the
presence of malware into a system, we dont know where
or how it happens, and its time consuming. By the time
you nd it, it could have caused great harm to a patient.
Its a lot more signicant than just messing up reports,
like on a home computer. This is about patient safety and
could aect whether a patient lives or dies.
One visible example is the so-called smart pumps. Theyre
great when they work. You have a drug library embedded
in a pump that can be very precise in a pediatric patient,
for example. Even in an adult patient, the smart pump
relieves the nursing sta by employing the right dosing,
alerts, and so on. But if they get infected, things go
haywire. It could be quite dangerous for a patient.
Jerey W. Short
A data breach can be devastating. Theres the blow to the
hospitals reputation, of course. But take it further: Were
starting to see the kind of data breaches that put patient
safety at risk. Its becoming a sport for some people
seeing what they can harm interrupting the feed, stopping
the data, processing it through a system that changes that
data in some manner. Theyre not thinking about the risk
when they do it. This puts patients at risk.
Think of clinical decision support systems, for example.
Someone pulls up a report that says this patient is on this
drug, this amount, this condition. What if that drug isnt
there? Physicians are relying more and more on these
systems, and if things arent there, vital care delivery steps
are going to get missed.
What are some ways healthcare
providers can alleviate the problem?
Dr. Alan D. Snell
You dont want to wait until there is a problem. Have a
maintenance and prevention program where you look for
these things on an ongoing basis techniques, software,
malware detection whether accidental or malicious.
Establish strict policies for people who use medical
devices. Many times people are unaware that medical
devices can be infected and have their output distorted by
malware or improper handling. Educate the sta on the
risks, and how to proceed if they detect that something
might be wrong so you can avoid patient harm.
What are the challenges to managing
this issue?
Dr. Alan D. Snell
Risks are getting more dicult to manage because of
the amount of devices. More and more of what we do
on a manual basis is now digitized, which allows the
introduction of malware. Were integrating devices so they
can share data. You want to capture that data, but you can
infect multiple devices.
The more medical devices are used, the more patients we
have attached to these devices, adding to the complexity.
You could be looking at thousands of devices in a given
hospital. That requires a good security maintenance
program. When there is an issue, you need to perform a
thorough audit. Was it accidental? Was it malicious?
Jerey W. Short
More and more devices are being connected every day,
attached to the Internet and to each other, especially
in healthcare. You can buy apps to send your EKG to a
physician. Were trying to collect as much data as we can
to provide better care, but its hard to control whats being
added and what happens to it when its added.
Its a lot more signicant than just messing
up reports, like on a home computer. This is
about patient safety and could aect whether a
patient lives or dies. - Dr. Alan D. Snell, MD
Managing the Unknown eProtex.com. 4
In the industry, we have an inux of device producers
who are new to the market. Theyre not traditional device
makers, and dont understand the risk. When youre new,
you dont understand that people will try to attack these
things. Or that being o by .03 on a reading could really
aect a patients treatment.
On top of that, add the regulatory scrutiny through the
FDA. A device will go in for approval, and by the time it
comes out, its already old technology. Its hard to protect
it because of that. Yet these devices are being adopted
very rapidly, which means more risk.
What do healthcare leaders need to
know to manage medical device risks?
Jerey W. Short
A risk manager or health technology professional looking
at the security of medical devices might think of doing
penetration testing of networks. This is typical security
analysis. But they forget to go down to the level of the
unknowns: medical devices and sub networks in facilities,
multi-function device copiers and fax machines.
Weve secured EHRs, so as hackers look at systems and
what they can do, they look at the next vulnerability, and
thats medical devices.
Dr. Alan D. Snell
Risk managers, clinicians and nursing sta all need to
be more aware of potential risks. Risk managers nd
out about events as they happen, but they need to be
promoting education and early alerts. If a device doesnt
seem to be working correctly, there could be an issue.
How are you going to alert stakeholders?
We can expect the continued proliferation of devices and
applications. We dont have the level of integration that
we would like, especially clinicians. We dont want to go
to dierent devices; we want to view data in one place.
But the more integration we have, the more risk we face.
As technology advances, so will the complexities and our
need to manage it.
Managing these risks should be high priority. Creating
and maintaining policies and protocols throughout the
organization is important. Its a huge responsibility.
How can hospitals drive value from a
third party to audit and manage their
medical device networks?
Dr. Alan D. Snell
The bigger the organization, the bigger the risks can be.
A healthcare professional with multiple responsibilities
may not be able to give medical device risks the attention
they deserve. Its unreasonable for one or two people to
manage all of these devices. Hiring a trusted, capable
partner is important because then you have someone
whose main responsibility is managing these risks.
Assigning this responsibility to a third party isnt
necessarily related to the size of the organization. How
complex are these risks in your organization? Is it a high
enough priority for you? Are you aware of the potential
issues? One small slip could be hugely devastating for an
organization.
Jerey W. Short
When it comes to medical devices, you need someone
who understands the unknowns. Its dicult for the
healthcare provider to stay apprised of all systems out
there. More and more people are becoming specialists
on how to protect ePHI, and thats where a partner
specialized in medical device security and compliance
comes in.
You cant just attach any old device to a network. You
need someone in charge who knows the ins and outs of
medical devices and what needs to be done to protect
these devices, which are so unique.
Healthcare providers need to get past the knowns and
focus on the unknowns. Thats where partnering comes
in; getting someone who can help them uncover and
mitigate the unknowns.
Were at a point where [HIPAA enforcers]
are saying, "Youve had 10+ years to comply
with this law; were going to start really
enforcing." - Jerey W. Short
Managing the Unknown eProtex.com. 5
Next Steps
If you found value in this resource, wed love to
talk to you. Whether or not we end up working together, wed gladly share
lessons weve learned from more than 18,000 risk assessments.
We invite you to pick our brain and learn from our process no commitment, no
pressure. Schedule a 15-minute call and well guide you toward greater security and
compliance. Reach us at eProtex.com.
eProtex helps healthcare providers keep medical devices safe for their patients and
their data, and compliant with federal mandates. The rst data security company
specialized in reversing the hidden risks to connected medical devices, eProtex
solutions have been adopted by more than 100 healthcare providers nationwide.
eProtex.com 855-377-6839 (Toll-free)