Three Tips for Securing Your Healthcare Network and Medical Devices

How to protect patient data and care-delivery equipment.

As hospitals and healthcare organizations are increasingly the target of cyberattacks with the power to cripple operations and harm patients, healthcare leaders are moving to strengthen their protection of medical devices and IT networks. Yet they face dual challenges: budget constraints and a limited ability to fix vulnerabilities once they’re identified by a network monitoring solution.

Here are three ways to bridge the gap between Healthcare Technology Management (HTM) and Information Technology (IT) security — without breaking the bank.

1. Improve your inventory


This may seem obvious, but it’s hard to protect medical devices when you don’t know where they are. Clinical staff often store devices in closets or other convenient locations to make sure they’re available when patients need them, but if those machines aren’t immediately trackable or visible on your network, it’s difficult to protect them.

“If they’re powered off or the battery is dead, they can get dropped from the network inventory of devices,” says Ken Ottenberg, Senior Vice President of Technology Services for HSS, a Denver-based managed security services firm specializing in healthcare. “It shows up in the HTM or Biomed inventory, but it doesn’t appear in the network inventory. If we don’t know where the equipment is or whether it needs a patch, how can we ensure that it’s safe and secure?”

Since clinical providers may be unaware of the risks of keeping equipment in unsanctioned locations, it’s important to educate them about the importance of following their facility’s storage procedures for every medical device.

2. Identify gaps between your network monitoring and healthcare technology management tools


It’s important to consistently compare two key data streams: the one from your network monitoring solution and from your healthcare technology management tool. Too often, these operate independently from each other, which creates vulnerabilities that IT and HTM teams are unaware of. For instance, says Ottenberg, some devices are placed on their own network during installation. “When they’re not identified or seen on the main network, there’s no visibility—which unto itself is a threat,” he says. “Using simple software and a team of experts, you can locate every device and make sure it’s securely connected to a visible network so it can be monitored and maintained.”

3. Fix vulnerabilities as soon as possible


Knowing a device is vulnerable is your first line of defense, but too often, healthcare organizations lack the expertise and the staff to actually fix it. Once you’ve identified a machine that’s vulnerable to attack, you have to act — and confirm that it will clinically operate once it has been remediated.

“Sometimes IT staff assume that if they just push patches, the problem will take care of itself,” says Ottenberg. “But once you patch a device, you have to go through a testing protocol to make sure that it clinically accepts the patch and still works as designed.” This includes verifying the patch to make sure the device has the right systems in place prior to remediation.

It’s also useful to create a backup plan in case the patched equipment doesn’t operate properly. “If you push a patch and it causes problems, make sure you know how you can revert back,” Ottenberg says. “Also make sure to have back up plans or clinical intervention in place, just in case.” He also recommends educating clinicians about the process and putting a protocol in place so that they know what to do if a machine doesn’t work after a patch.

How HSS Can Help

To help hospitals and healthcare organizations take these steps cost-effectively, HSS Technology Services has created a medical device security service called Spotlight ™. The program provides the tools, processes and experts required to close the gap between IT security and HTM — protecting devices, networks and patients.

HSS can scale the Spotlight ™ solution to your budget by offering a menu of services that can be tailored to meet any organization’s needs. The HSS medical device consulting team works in an on-site capacity or via a remote environment and can provide the entire suite of services or work with client staff on an as-needed basis.

Interested in learning more about how the HSS Spotlight™ service can protect your devices? Let’s talk.


Keeping the excitement out of security since 1967.