Episode Five of the seven-part CHIME Medical Device Security webinar series aired last week, with the featured topic of discussion being Operationalizing, Standardizing and Contextualizing. As the host of webinar series, I was joined by two senior executives at Nuvolo. Tony Bailey is the Director of Product Marketing for OT Security, and Dustin Smith is a Senior Solutions Consultant and formerly the Director of Central Support for Healthcare Technology Management at Intermountain Healthcare.
In the episode we delved into the security solutions for medical devices available to Health Delivery Organizations (HDOs), including what they do, why they are necessary, and potential integrations between them. As the guest speakers both represent Nuvolo, the OT Security module of their integrated workplace management system (IWMS), branded as the “Connected Workplace”, is used to demonstrate how device data is transformed into meaningful and actionable intelligence. Operational Technology (OT), as defined by Mr. Bailey, are non-IT assets in a medical facility that have the ability to connect to a network. This includes medical devices and facility and laboratory equipment. OT is distinguished from IT by being directly utilized in healthcare operations and is mission-critical to the organization, necessitating a heightened level of security. Traditional IT security tools are unable to provide the contextual data of a device’s operations, and a detected vulnerability or anomaly can consequently cause a communication schism between departments. Once discovered, IT personnel attempt to identify a remediation that does not disrupt operations or mishandle a device with Healthcare Technology Management (HTM) personnel, who as of then were unaware of any problem. An OT cybersecurity tool, as an extension of a computerized maintenance management system (CMMS), resolves this problem by providing a single inventory of devices, utilizing a common data model, and uniformly distributing remediation workflows to IT and HTM personnel.
Of course, an OT Security solution such as that offered by Nuvolo is only as effective as the quality of the incoming network and device data it relies upon to generate workflows and strategy. Mr. Bailey emphasized that integration with a passive monitoring and discovery tool is vital for optimizing the benefits of the OT Security module. For this reason, Nuvolo has partnered with providers of complementary systems such Ordr and simplified the integration process for a seamless and efficient implementation and operation of a combined cybersecurity solution.
Next, Mr. Smith demonstrated an integrated Nuvolo system. He presented an overview of the user interface, as well as its capabilities to automate policy-making and coordinate remediation responses among HTM, IT, and “boots-on-the-ground” technicians. Equally important is the tracking of vulnerabilities across device categories and manufacturers, identification of trends and correlations, and prioritization of remediation resources according to risk level and threat severity. One function of potentially overlooked importance is the detection of unknown devices through passive network scanning by the integrated monitoring and discovery tool. When these mystery devices not in the CMMS’s centralized inventory suddenly appear on the network, it can reveal valuable insights into operations and personnel activity occurring in the facility. For instance, a flurry of unknown devices could be short-term equipment rentals, indicating a re-evaluation of the in-house device fleet may be prudent, as a buy-or-rent analysis could reveal long-term cost savings in adjusting inventory levels. Alternatively, unknown devices may be the consequence of improper onboarding due to technician oversight or an unreliable asset onboarding process, or instead it may be a clinician using trial equipment without notifying HTM. Regardless of the cause, discovery of unknown devices can be a worthwhile prompt for further investigation, which is vastly simplified by the resources available through the Nuvolo dashboard.
Check back for Episode Six featuring Mayo Clinic and how they have leveraged Ordr and Nuvolo to create Next Gen Tools for Medical Device Cybersecurity.
If you missed an episode, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.