IoMT device integration with the electronic health record is growing
IoMT devices are natively integrated into the networks of healthcare facilities. However, more integration is taking place between these devices and the electronic health record. Discrete data collected from IoMT devices can pass through an organization’s normal data flow, such as an integrating engine. Organizations can also Application Programming Interface such as Fast Healthcare Interoperability Resources (FHIR)integrated via a central IoMT hub or via a Software as a service provider.
Acting on it is more important than collecting patient data. IT and clinical leaders should have a plan for responding to device alerts. For example, a patient may receive an IoMT device while waiting to be admitted to the emergency department. If the ED doctors receive an alert about a change, there should be procedures in place to respond to that alert. Failure to respond to the alert could result in a negative patient outcome and create patient safety and legal challenges.
How to protect Internet of Medical Things devices
When integrating IoMT devices into an organization’s EHR or network, it’s important for IT leaders to put privacy and security first. Leaving devices unattended makes any device vulnerable to cyber-attacks.
The first component of an organization’s approach to security is visibility. The IT team needs to know what is happening within its network. It can be difficult to determine what the device is, as many IoMT devices are unmanaged or outside the normal IT lifecycle. Unmanaged devices can run an older operating system, increasing the risk to the network. If IT staff doesn’t know what a device is, they don’t know how to protect it and make sure each device communicates with the right systems.
Use a platform like Purchase or mediate enables IT teams to see more information about individual IoMT devices, including devices running older operating systems or devices with Food and Drug Administration recalls. These platforms give healthcare organizations greater visibility into their device networks and can even feed information into an organization’s configuration management database (CMDB).
The second part of device security is segmentation, including micro and macro strategies to ensure devices are communicating with the right systems. Segmentation allows devices to talk only to other devices or systems within their segmented network. If an event is detected within the network, an IT team can investigate whether it is related to a cyber-attack. Another advantage of segmentation is that it separates these more vulnerable devices from other devices and systems that are critical to patient care. So if there is an attack, it will not interrupt care.
Technology is not the only thing needed to secure IoMT devices. It really comes down to the combination of people, processes and technology. Healthcare IT teams need to create organizational governance to ensure everyone is using the right technologies in the right way. When selecting new IoMT devices for deployment, the IT team must verify that the devices have no security flaws.
Take an Agile approach to IoMT device management and security
Once a monitoring platform is in place, the IT team must compile a catalog of all of the healthcare organization’s IoMT devices. Next, the team should use agile sprints to iteratively categorize, analyze, and protect devices.
Biomedical and healthcare technology management teams should start looking into medical devices beyond their control, either unmanaged or managed by another department. Each device must then be analyzed to determine who should have operational responsibility for those devices. Next, owners must review FDA recalls and security alerts related to biomedical devices and begin remedial action if necessary.
It is important that healthcare organizations start these efforts now, as more innovative IoMT devices are likely to be deployed over the next five to ten years. Healthcare IT teams need to be prepared to securely manage those devices and their data.
Device monitoring programs must be integrated with other security products, including a firewall or network authentication control system such as Cisco Identity Services engine or Aruba Clear Pass. The system could also be integrated via the CMDB Serve nowfor example.
Technology partners such as CDW have strong relationships with security vendors and deliver IoMT workshops from a programmatic perspective. The workshops help healthcare organizations with their IoMT technology stacks and integrations, as well as the security strategies around those devices.