As we wrap up HTM week, I would like to thank all the HTM professionals who work tirelessly to ensure patient safety and that other medical professionals have safe and reliable equipment to use. Having been in this role prior to Ordr, I know how challenging being an HTM professional can be. As we look back on a year that no one could have predicted or expected, I would like to share a few things we as HTM professionals should be doing to prepare for the unexpected.
Prepare for an Imminent Ransomware Attack
As ransomware attacks become more prevalent and, bad actors are targeting healthcare organizations. Our duty as HTM professionals is to be prepared and do everything we can to protect patients and their data. One easy step to help be prepared for a ransomware attack is to ensure you have the necessary resources to restore a device should it be compromised. This would include but is not limited to the most recent installation software, any patches or updates, and a recent configuration backup. It is a good practice to have two copies of each of these items, one stored with the equipment and another stored at a central location with all other restore software.
As the sophistication of the ransomware increases, the likelihood data from an equipment can be recovered even if the ransom is paid also decreases. In some cases, the best thing to do is wipe the device and start from scratch. If this is the direction your organization chooses, you will be ready to respond.
Securing Portable Medical Devices From PHI Exposure
Although ransomware attacks are increasing (10% of all breaches now involve ransomware), the likelihood of an incident happening and causing PHI exposure is still low. One of the most common causes of PHI exposure is misplaced or stolen equipment. Portable medical devices such as laptop-based ultrasounds and EEG are easy targets for someone looking to make a quick buck. An event like this can cost an organization hundreds of thousands of dollars depending on the information stored on the device and if it is accessible.
Securing portable medical devices is not difficult but can be time-consuming. The first step, like any project, is to identify all the devices that fall into this category. The difficulty of this first step can vary depending on the accuracy of your CMMS and access to tools that can identify connected devices. Once identified, the devices should be divided into two categories—those that can be encrypted and those that can not. For devices capable of encryption, verify that it is enabled and document it in your database. If the devices receive annual maintenance, the encryption should be verified as part of this process. For those devices that cannot be encrypted start, by physically restraining the device to a fixed object or a large cart if the device has to move. Work with the department that owns the device to limit the PHI stored on the device. Processes should also be put in place to ensure that any new devices purchased have encryption built into the core product.
Consider Hiring A Medical Device Security Specialist
This last recommendation is for HTM leaders. If your organization does not already have a Medical Device Security Specialist consider looking into what a person in this role could do to elevate your security posture. Depending on the size of your organization, a role like this may make sense. Having a single point of contact for the IT security team reduces the amount of time it takes to react to events. Another benefit is centralized patch management. This reduces the load on the engineers and eliminates any redundant work if multiple engineers are researching the same patch. If a dedicated position does not make sense for your organization, third-party options can accomplish the same result and may be more cost-effective.
Again, thank you to all HTM professionals!