We’ve discussed clinical cyber hygiene before, but I think it’s a topic worth revisiting. Maintaining good cyber hygiene is not a “one and done” activity. Like frequent hand washing is for all healthcare professionals, it requires constant care and attention. If neglected, you may find yourself facing unexpected, costly consequences.
Defining clinical cyber hygiene
To be clear, clinical cyber hygiene refers to an organization’s ongoing ability to discover, assess, and manage cybersecurity risks. To put it another way, the World Health Organization says, “Hygiene refers to conditions and practices that help to maintain health and prevent the spread of diseases.” Similarly, clinical cyber hygiene refers to the methods and mechanisms that help maintain the privacy and integrity of clinical networks and prevent the spread of attacks.
Why is clinical cyber hygiene important?
It matters because it is directly tied to organizational maturity and abilities to understand and manage risks. Importantly, good cyber hygiene enables clinical efficiency and increases the value of clinical operations. Good practices reflect a systematic approach to understanding and managing clinical networks. They maximize the resiliency and availability of connected medicine. So, how do you establish and maintain good clinical cyber hygiene? Here are some best practices we’ve seen health systems leverage to their advantage:
Clinical Cyber Hygiene Best Practices
1. Fingerprint All Medical Devices in the Network
Make sure you can discover and identify 100% of devices hosted on your clinical networks. Obviously, a fingerprint means full device attribution and knowledge of their operating requirements. Even beyond manufacturer, model, OS, hardware, app versions, and location, network status, security posture and utilization intelligence is essential. You need it all, and should be looking for ways to continuously enrich your understanding, as things change. Not just the data that defines the device, but maintenance intervals, utilization patterns, and yes, the experience of staff who interact with the device throughout its lifecycle –from acquisition through disposal.
2. Assign Each Device a Multi-factor Risk Score — and continuously update
Risk scoring is a dynamic process. And it can’t be adjudicated in a vacuum. Organizations with good clinical cyber hygiene are continuously reassessing device security (at both individual and group levels) as security provisioning and asset restaging and maintenance are related processes. The overall assessment context must extend beyond the likelihood of compromise and include both patient safety and business factors.
3. Prioritize Remediation Activities –develop a cross-functional “risk frame of reference”
At a minimum, workflows associated with managing risks across high value assets should be coordinated cross-functionally. Especially when considering the highly mobile nature of connected medical devices and the need for health systems to accelerate their restaging, security-awareness must be reflected in cross-department workflows.
4. Manage Risk Across the Enterprise —programmatically
Don’t let a weak link negate all your hard work. A programmatic approach to risk management is critical, otherwise, performance deficits are difficult to identify and improvements are impossible to measure. In golf, they say you’ll never play faster than the slowest person in your foursome. Again, given the highly mobile nature of assets, and the continuing fragmentation of care delivery, risk management practice must encompass outpatient facilities, clinical partners, etc.
5. Inform Medical and IoT Device Procurement
Monitoring device performance allows for the introduction of security metrics to supply chain/procurement managers. As many health systems employ “spend category managers” whose responsibilities include negotiating contracts with key suppliers, these metrics should obviously be known to them.
How to start to implement?
The Medigate Device Security Platform (MDSP) can help you implement good clinical cyber hygiene, as it supports workflows across the ecosystem with the data, the risk framework, and the insights required to develop a focused, integrated asset management and security program. The MDSP consists of several specialized modules, including one dedicated to Clinical Cyber Hygiene (CCH). It can help you jumpstart your efforts. The CCH starts by providing a detailed organizational “risk baseline.” The reporting is organized to ensure relevance cross-functionally. The information is provided in both aggregated and filterable views (e.g., by location). Here is a sample view:
The insights delivered by Medigate not only help establish, but nurture clinical cyber hygiene best practices naturally, as the risk assessment framework provided is fully customizable. For getting baselines correct and for modifying frameworks as conditions change, not only is such flexibility essential, but when combined with the ability to simulate the effects of potential remediation activities, it’s a game changer.
To learn more, check out our Clinical Cyber Hygiene At-a-Glance.