Ongoing, open communication between IT, IS and biomed teams is key to the success of their security program. For example, when a device manufacturer releases a patch for a newly discovered medical device vulnerability, who will get the alert? Who is responsible for ensuring the patch is put in place? If not patched, who is responsible for bringing the patch to whose attention? And what is the process? The patching process includes everything from working with the device manufacturer to deploy the patch, to coordinating internally to ensure it is properly installed and no damage was done as a result of the vulnerability. An HDO’s risk for a devastating attack automatically increases if a vulnerability is not patched in a timely manner, which is why they must have a plan in place for managing patches. This is part of their duty to provide quality healthcare while ensuring sensitive data is protected.
The question HDOs need to be able to answer without hesitation is: who is in charge of which aspect of IoT security? As they continue bringing new connected devices onto the network, medical or otherwise, knowing who is in charge falls within their responsibility to patients, families and federal regulators.
No two HDOs are alike Each HDO should have its own, unique governance structure depending on which of the aforementioned teams are better equipped to follow through on their responsibility to secure IoT devices. HDOs should expect their structure to vary from hospital to hospital. They all have a unique mix of information systems, political structures and methodologies that define their organization. These variations are bound to result in different IoT security governance structures across providers.
IT, IS and biomed teams need to work together to determine what is necessary for each team to support their ongoing IoT security program responsibilities. While some hospitals may have a strong biomed team that can drive this initiative, another may have a stronger IT team that has more resources to support a secure hospital environment.
Each team must be open to the others’ needs, and they need to be clear about whether they have the departmental resources and bandwidth to support the program. From there, they can assign leaders accordingly and begin discussing the actual tools required.
No matter what: HDOs should remember that the team leading this charge needs to do so understanding that total medical device security requires protecting each and every IoT device connected to the network. This includes general IoT assets, clinical IoT assets and medical devices (e.g., smart cameras, smart beds and MR systems, respectively).
