Protect Medical Devices from Cyber Threats: Sidney Regional Medical Center Implements Groundbreaking Spotlight Program

Healthcare facilities nationwide have proven to be susceptible to an increased number of debilitating cyberattacks. A compromised medical device can have severe consequences including threatening patient safety, patient information and even network health. 53% of connected medical devices in hospitals have a known critical vulnerability. An Alabama lawsuit alleges that a hospital ransomware attack led to a newborn baby’s death, as disabled IT systems meant that critical data such as the baby’s elevated heart rate was unavailable to the attending obstetrician.

As a smaller, rural, critical access healthcare facility, Sidney Regional Medical Center (SRMC) in Sidney, Nebraska is no stranger to providing top-level care and services that may not traditionally be found in a rural community. “We pride ourselves on being innovative,” says SRMC Director of Information Technology, Styles Moody. Moody and SRMC Chief Information Officer, Emily Johnson, showcase the hospital’s innovation through their implementation of a ground-breaking program from HSS called Spotlight to help protect their medical devices from cybersecurity threats. They recognized the nation’s increasing cyber-attacks on medical devices and acknowledged that SRMC would benefit from increased protection.  

It can be challenging for any organization or facility to establish and implement a brand-new cyber program. Because healthcare facilities, including SRMC, are also tasked with protecting an entire system of medical devices on top of standard IT-related devices and networks, they are often faced with even more unique challenges. “The larger the facility, the more connected devices there are to protect. Trying to centralize that is important and it’s very difficult to do,” Johnson states. “It is difficult to ensure we’re keeping everything supported,” Moody agrees.  

The challenges surrounding the cyber defense of medical devices are almost completely universal and impact a vast majority of healthcare facilities. Without Spotlight, hospitals of all sizes are leaving thousands of network-connected medical devices unmanaged. A compromised medical device can have severe consequences including threatening patient safety, patient information and even network health. 

Johnson and Moody at SRMC were looking for an innovative and comprehensive managed service for the cybersecurity of their medical devices and found exactly that in Spotlight from HSS. Spotlight aims to reduce the risk of threats to medical equipment by partnering with the facility to optimize each device at the asset level. Johnson and Moody were “surprised that something like this that fit our needs so well was even available.”  

Healthcare facilities often struggle to sustain an up-to-date and accurate inventory of all medical devices. “We know how hard it is to find medical devices sometimes. Who knows how many of these different medical devices weren’t being accounted for?” Moody explains of the inventory prior to Spotlight implementation. Not only does Spotlight maintain standard device identification data, but it also maintains data for software and network status, helping to provide comprehensive coverage for the facility. Providing SRMC with an accurate and refined inventory was just the start of the comprehensive Spotlight program, and it was already proving valuable.

Spotlight also helped SRMC to overcome the all-too-common siloes that exist between the technology and clinical engineering teams in healthcare spaces. Clinical engineering focuses on the mechanical break/fix and scheduled maintenance of medical equipment, but is unfamiliar with the software, cyber side of these devices. Inversely, while technology specialists understand the software of traditional networked hardware, medical equipment is very non-traditional with thousands of varying models – each with varying complexities and capabilities based on their hardware makeup. Spotlight helps to bridge the gap between IT and Clinical Engineering departments. Johnson feels as though Spotlight at SRMC has proven to be “extremely collaborative and it’s actually helped us build structure within our own organization.”  

The evolution of network-connected devices has dramatically expanded in every sector and, in order to function properly, a system or process to manage them is critical. Without policies and processes in place, thousands of devices sit vulnerable on the network merely waiting to be compromised by a threat actor. Moody explains, “In IT, we’re always looking at our firewalls and our Windows workstations and everything that we manage and looking at all their vulnerabilities. But threat actors are always looking at everything…it doesn’t matter what it is.” Moody shares that Spotlight has allowed their operations to be “more process-driven than we were before, because before there wasn’t a process…a lot of what we had been doing was playing catch-up.”

Spotlight helped SRMC overcome its medical device cyber challenges through its five-step foundation: identify, prioritize, implement, manage, and optimize.  

• Identify: To start, an accurate, up-to-date inventory is required. This is done through an initial data validation process including asset information and vulnerability detection.  
• Prioritize: After the missing gaps of information have been filled, the inventory is prioritized by criticality of vulnerability and patient impact from a functional perspective.  
• Implement: The implementation phase brings together the working process of the facility and the communication procedures of the program, creating a true partnership.  
• Manage: The systematic functions of the program lead to methodical progress in reducing the risk of incidents and increasing overall security.  
• Optimize: Finally, much like the challenge of overcoming never-ending cyber threats, Spotlight’s work is never done. They are consistently monitoring around-the-clock in a never-ending review cycle, optimizing the process to progress toward air-tight security. Perfect isn’t possible, but progress never ends. 

Unsure of how much Spotlight would alleviate workload and additional stress, Moody and Johnson were surprised by the way that Spotlight could relieve the worry and additional bandwidth required in order to take care of these devices. Johnson shares that “being able to depend on someone to guide us through that process is extremely valuable. It’s not something that we could add to our plates and feel confident that we were doing as good of a job with it in any form or fashion….we needed to look at a solution.” Moody shares how Spotlight’s methodology has helped to free up SRMC staff’s time and resources while also ensuring critical equipment is secure: “It’s a program that HSS has already built. It’s something that we don’t need to build internally. We know that HSS is specialized in this area. We’d take a lot of time and lot of resources to build a whole team of our own to do something like this.” 

When asked about the partnership between SRMC and HSS, Moody shares that he feels “very engaged.” He says “we meet on a regular basis…we collaborate a lot with the cybersecurity side.” Johnson adds that “it’s nice that HSS is not affiliated with any of the vendors and there’s no pressure in sales. It’s nice to have a neutral third-party that can facilitate conversations and present us with options without having to worry if our sales rep is pushing something on us that isn’t good for our facility specifically or cost a lot of money. That was our alternative before.” HSS and Spotlight act as advocates for healthcare facilities, working to reduce overall risk to ensure quality patient care. Johnson agrees, sharing that with Spotlight, “I feel more confident in the patient care that we deliver.” 

When asked by a fellow technology executive about why SRMC uses Spotlight, Johnson shares that device security and safety was something that their facility deemed to be a priority and that for them Spotlight was a “no brainer.” She says they didn’t really have another option and were already seeing and feeling the impacts of trying to tackle medical device cybersecurity through each respective department and it was disjointed and disorganized. Moody agrees and jokes that if someone was on the fence about Spotlight, he would ask them: “What’s the alternative? Or are you just going to leave all your medical devices unsupported?”