Vail Health Secures Medical Equipment with New Device Security Management Program

As hospitals face rising coronavirus cases and debilitating cyberattacks, unsecured medical devices pose risks to sensitive information and patient safety. At least 82% of connected medical devices were targeted by cybercriminals in 2019, according to the Global Connected Industries Cybersecurity Survey from software company Irdeto. In September, a ransomware attack on a German emergency department caused a woman to be turned away, and she died on the way to another facility.

Long before the recent cyberattacks and the FBI’s warning that cybercrime rings were targeting hospitals during the pandemic, Ryan Kolczak, director of technical operations at Vail Health, was worried. The prospect of hackers perpetrating a data breach or gaining control of medical equipment connected to patients deeply concerned him.

“It’s stressful,” says Kolczak. “And while our network monitoring solution showed me which devices were on my network and which had vulnerabilities, I had no ability to fix those vulnerabilities.”

Like most healthcare organizations, Vail Health has staff responsible for managing medical equipment such as ventilators, MRIs and defibrillators, but not necessarily from an IT security perspective. And the IT staffers, while knowledgeable about cybersecurity generally, aren’t experts in securing medical devices specifically.

To help him bridge the gap between healthcare technology management (HTM) and IT, Kolczak began using a new medical device security service called Spotlight^™.Created by managed security services firm HSS, the Spotlight service arms healthcare organizations with a team of technicians who work onsite or remotely to catalog, assess, prioritize and secure medical devices.

“This service is the missing link,” says Kolczak. “I have 100 different classes of devices that are automated, and with the support of HSS experts, we were able to prioritize our problem sets and start tackling them one by one. It gives me so much peace of mind to see our risk profile going lower and lower.”

Spotlight technicians use data monitoring tools and asset inventory platforms to identify devices by manufacturer, model and serial number. Then, they funnel the information into a database that detects every asset with a known vulnerability. Once they identify the issues, the technicians collaborate with hospital staff and the equipment manufacturer to apply patches.

One reason this process is so important, Kolczak says, is that as medical equipment has become more sophisticated, it’s also become more reliant on software upgrades in order to function. Additionally, medical devices often use proprietary modes of communication, have fragile operating systems that make them challenging to protect through automated approaches and require extensive interaction with the manufacturer to identify, implement and test patches.

HSS technicians use their understanding of medical equipment, device-specific technologies and manufacturer relationships to proactively reduce risk—something that Kolczak says is especially important in today’s COVID-19 environment.

“When people are stressed, they’re more likely to click on a phishing message or do something else that makes them vulnerable,” he says. “But it’s much harder for an attacker to get a foothold in the network through a device when that device is patched and up-to-date.”

The HSS Spotlight service partners with healthcare organizations to manage the lifecycle of their devices—regardless of the manufacturer.  Once healthcare organizations have an accurate inventory of connected and patched devices, it makes scheduling and utilization easier, Kolczak says. “In understanding the inventory and the patching, you can identify when you have too few devices or too many,” he says. “That can provide cost savings.”

One benefit of Spotlight is that it can scale to any budget, allowing organizations to choose the complete solution or select only certain services based on budget.

“I’m supplementing with my staff for the prioritization process, and we take a certain number of device sets each month to patch,” says Kolczak. “I was able to choose a number that worked within my budget and use it to address the top-ranked risks depending on the level of remediation.”

As hospital leaders rise to meet the challenges of rising numbers of COVID-19 patients, some of whom require connected devices such as ventilators, it puts Kolczak’s mind at ease to know that Vail Health’s equipment is in an ongoing process of being secured.

“The risks are too great these days to leave them unmanaged,” he says. “And since it’s difficult to recruit staffers who are experts at securing devices, this is the perfect opportunity for a knowledgeable biomed vendor to come in and provide this service.”