Attacks via the internet are a threat that is becoming an increasingly important issue for hospitals. Defense scenarios are being discussed, employees are being sensitized for the issue and IT training providers are recording growing demand.
It is often overlooked, however, that an online attack from outside is only one of multiple challenges faced by hospitals when operating networked IT systems and devices. The incorrect integration of a new medical device, an unexpected event such as a burst water pipe or improper coordination between the IT department and the manager for medical technology of a hospital can also be reasons for disruptions in the hospital IT.
Digital trend remains unbroken
Information technologies simplify the communication between physicians, nurses and patients. X-ray images, treatments, medication – nowadays the physician can simply check the course of the treatment on the tablet directly at the bedside and discuss it with the patient. Important information such as laboratory results or x-ray images are available on screen during a surgical intervention. Hospitals also seek to enhance their workflows with the help of IT: According to a survey by the HIMSS (Healthcare Information and Management Systems Society) in cooperation with DELL, approximately 84 percent of hospitals expect improved exchange of information and cooperation between the different departments, followed by a more efficient management (approximately 79 percent). Hospital managers will expand their network infrastructure accordingly in the coming years, increase their server capacities and strengthen their investments in more security and mobile end devices.
Safety – Security – Effectiveness
As hospital networks become more extensive and complicated, hospitals must also think about possible risks in the operation of their IT infrastructure, even if there are no apparent risks, yet. The key to an effective defense against potential risks is a strategic IT risk management as part of an overall risk management strategy. To increase the security of medical IT networks (MITs), the International Electrotechnical Commission (IEC) in 2010 introduced the standard IEC 80001-1. For the purposes of application of risk management for IT networks, the standard regulates responsibility and provides recommendations for the operators of MITs.
Risk management is not done on an ad-hoc basis but is part of the entire life cycle of the IT environment of a hospital. The standard EN 80001-1 (e.g. for Germany) provides a catalog of measures that outlines three protection targets : In case of network malfunctions or hardware or software defects, a medical product can endanger the safety of patients, users and others. A hospital operator can counteract this risk by introducing a safety risk management strategy. To achieve this, the probability of a potentially dangerous situation – due to external influences such as weather phenomena, maintenance activities or device malfunctions – must be analyzed and countermeasures must be taken. Another scenario is the data and system security of the networked hospital IT. In this context, it is important to clarify how securely information can be processed, transferred and stored within the network and where potential sources of disruptions are. This includes potential entry points into the hospital network and possibilities for manipulation by hackers. The third column of the risk prevention strategy is efficiency: The risk manager analyzes the hospital processes, to what extent the IT is protected and how both are interconnected. On this basis, workflows can be optimized and at the same time, critical processes and dependencies can be identified.
Not every hospital has the means or capabilities to have its own risk management for its IT infrastructure. Dräger IT specialists in key countries can support them in this area. For the manufacturer-independent risk analysis, Dräger IT specialists take into account information provided by manufacturers, medical technicians, IT personnel and users. Dräger also provides training for hospital IT managers in the coordination of Medical IT Network Risk Management in their hospital.
Cross-departmental cooperation as the factor for success
To what extent a hospital can effectively implement IT risk management does not only depend on specialists. The hospital staff must also change their thinking and optimize their networking behaviors. If different departments such as Clinical Engineering, IT or Purchasing are involved, their respective role in the implementation of risk management must be determined. This can be challenging at times. Experience shows that IT departments, for example, are used to working with checklists rather than identifying risks in discourse and create emergency plans accordingly. How available should the IT network be? What risks are tolerable? The risk manager or hospital manager cannot always answer such questions quickly that are essential for the work of the IT managers.
This makes it difficult for the persons responsible to define guidelines. The role of a risk manager can therefore be much more complex than one may initially assume: “Soft skills” such as empathy, good judgment of people and diplomatic talent play a more important role when it comes to negotiating between different departments or people and when trying to build bridges. Staff from departments such as IT and medical technology who worked separately from each other in the past must suddenly – for the purpose of the task at hand – cooperate more strongly. The risk manager assumes the role of the negotiator in this case.
The more closely independent medical devices are interconnected, the higher are the possibilities for attacks and their consequences. Therefore, not only the integration of new medical devices into the existing network plays an important role but also the security features that the devices have themselves. Manufacturers of medical devices should therefore take into account potential security gaps accordingly when developing new products and close them early as possible. This ranges from the first idea for the architecture of a system to the service of third-party components when the development phase has long been completed. Manufacturers must establish a development life cycle for secure products.
To establish this focus on security during the planning phase of a device, all employees of the manufacturer involved in the development must be trained accordingly. Besides a greater awareness for security, the targeted search for safety gaps using tests in certain development phases also plays a significant role. Product security engineers are specialists that can take care of this process in companies.
Conclusion: When seeking to operate a secure IT network in a hospital, it is not only the protection of inpidual medical devices that is important. It is rather an integrated process that requires solid analysis of risks and risk calculation. Risk management of medical IT networks is not a selective process but must be carried out constantly during the operation of the hospital. It can only work effectively if all involved departments work together. It also becomes increasingly clear that manufacturers can support hospital operators actively by taking into account product security as early as during the development phase of new products and thinking about how these products will be used eventually.
- Participants of the survey were IT managers in German acute care hospital with at least 300 beds
- HIMMSS Europe/DELL: Nutzeneinschätzung von Informationstechnologie in deutschen Krankenhäusern, 2014, S.7;19
- VDE (Hrsg.): Risikomanagement für medizinische Netzwerke in der Intensiv- und Notfallmedizin – Gemeinsames Positionspapier zur Norm IEC 80001-1, 2012, S.10
- Gärtner, A.: DIN EN 80001-1: Chancen und Potenziale für vernetzte Medizintechnik in EHealthCom, 11/2012, S.15
- www.thieme.de: Sichere Krankenhaus-IT: Welche Vorgabe darf es sein?(https://www.thieme.de/de/gesundheitswirtschaft/sichere-krankenhaus-IT-17121.htm )
Hannes Molsen Product Security Manager Drägerwerk AG & Co. KGaA
Hannes Molsen is the global Product Security Manager of Dräger, a 125 year old family company known, e.g., for medical devices and safety systems. He is responsible for creating and maintaining an environment which enables Dräger to ship devices and applications that are secure to sustain in an interconnected world, throughout the entire system’s lifecycle, to protect life, data and system functionality.
At Draeger as well as during his activities as self-employed Security Professional he also tests devices and applications, and gives security trainings for developers, product managers and software architects.Before taking this position, he was working as a passionate secure coder, with over 10 years of experience in web application development, software for embedded systems and interconnected devices.He is also actively involved with the grass roots organization i am the cavalry, supporting the efforts to connect manufacturers and the security research community to become safer, sooner, together.Hannes holds a Master of Science degree in Computer Science from the Hamburg University of Technology.
About Drägerwerk AG & Co. KGaA
Dräger is a leading international company in the fields of medical and safety technology. Founded in Lübeck in 1889, Dräger has grown into a worldwide, listed enterprise in its fifth generation as a family-run business. Our long-term success is predicated on a value-oriented corporate culture with four central strengths: close collaboration with our customers, the expertise of our employees, continuous innovation and outstanding quality.
“Technology for Life” is our guiding principle. Wherever they are deployed – in clinical settings, industry, mining or emergency services – Dräger products protect, support and save lives.Continuing the history and leadership of embracing and extending open source technology, IBM contributes to the Cloud Foundry Foundation, the industry’s open platform as a service, which provides a choice of cloud models, frameworks and application services.Web: https://www.draeger.com/en_za/Home