September 28, 2022: Managing medical devices within a hospital can be extremely challenging. Expand to care at home and you’ve got an even bigger problem. Health systems can have more than 20,000 medical devices on a network. And with a 12-15 year useful life, it’s not uncommon to have to think about managing security over a very long period of time. What are the frontline solutions to address the sheer magnitude of this issue? Theresa Meadows, SVP & CIO at Cook Children's and Greg Murphy, CEO of Ordr share their expertise, experience and knowledge of medical device security. How do you keep up with updates? How do you ensure devices are running at the correct level or even just in good functioning order? When is it time to upgrade? What makes one solution stand out from the rest?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
A lot of the manufacturers don't have a process for updating software or technology within the medical device itself. The other challenge is, is there's just so many. We have 20,000 medical devices on our network. And so if you can imagine trying to manage, keep up. Something of that magnitude is really hard for an organization to manage when you don't have good tools to do that.
Welcome to a solution showcase. We have a great conversation today with Theresa Meadows CIO at Cook Children's and Greg Murphy, CEO of Ordr. As you know, managing medical devices can be extremely challenging. Today we talk about frontline solutions to address this very challenge. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week. A set of channels dedicated to keeping health it staff current and engaged. We wanna thank our sponsors for today. Sirius healthcare, a CDW company, and order for making this content possible. And now onto 📍 our show.
All right, today, we're gonna do a solution showcase and we're gonna be talking with Theresa Meadows, CIO for Cook Children's and Greg Murphy CEO for Ordr around the topic of medical device security within the hospital system. Hey, what? Welcome to the show. Looking forward to the conversation.
Glad to be here. Thanks for having us.
So, Greg, this is your first time on the show Theresa you've been on at least twice. Doing some fun things there. I especially like the apple bar. I shouldn't call it the whatever bar. What do you call it?
Well, ours is called the tech zone, cuz we can't use bar in a children's.
got it. The tech zone. That's you're essentially helping people with the technology as they're coming in and out. It's such a great idea. And we've talked about that before in the show. Great. Today we're gonna talk about medical device security. Theresa will start with you, but what are the challenges around managing your clinical devices at a health system?
Yeah, I mean, I think there's lots of challenges. One of the things we recognize probably you. Four years ago when I was on the cybersecurity task force was that medical devices aren't consistently designed with the right regulatory cybersecurity technology built into those devices and devices are usually purchased and kept a really long time.
And a lot of the manufacturers don't have a process for updating. Software or technology within the medical device itself. The other challenge is, is there's just so many. So like an organization, we have 20,000 medical devices on our network. And so if you can imagine trying to manage, keep up. Ensure that they're all at the right software code levels or even just still in good functioning order. Something of that magnitude is really hard for an organization to manage when you don't have good tools to do that. So pile the security risk on with the fact that there's so many tools. Or devices out there today, you really kind of create this perfect storm of issues that need to be addressed in healthcare.
20,000. Wow. Greg I'm gonna come to you. I mean, there's a lot of tools out there. I mean, as CIOs, we have a lot of tools managing endpoint devices. What makes these devices. Distinct, if you will, that we manage PCs, we manage servers, we manage a lot of IP devices. What makes these devices a little different to manage?
I'd say it's a great question. Theresa, you alluded to one earlier, which is just the, the. Life of these devices. When you think about the traditional it estate of laptops and tablets and mobile phones. I mean, we get used to thinking that these devices will be around for two to three years, and it's like, when you look at clinical devices and medical devices, it's not uncommon to be talking about a 12, 15 year useful life for these devices. So that means you have to really think about managing security over a very long period of time. The other challenge is that we in the industry have gotten used to the idea that if you wanna protect a device, well, you just put an agent on that device.
And when you look at medical devices or other types of IoT devices, it's often not even possible to put an agent on those devices. Let alone practical. When you think about the scale that Theresa was talking about, about tens of thousands or even hundreds, thousands of these devices. So that makes them a, a slightly unique category that we have to think about securing and protecting a little bit differently than some of the traditional it estate
Are they generally similar operating systems or are the operating systems all over the board?
I think you find a wide variety of different operating systems and one that we see all the time is just the, the legacy operating system. So we find devices that are still almost brand new that are coming off, manufacturing line running windows, XT, windows seven that manufacturers on quite different schedules. And so you find not just a variety of operating systems, but different generations of operating environment. And it just, it really does make for a very diverse and heterogeneous environment really requires automation and visibility able to manage.
So one of the, one of the challenges was just that for when I was CIO was just downright finding these devices. There's so many of them. So you think, well, they're everywhere in the hospital and they are everywhere in the hospital. They're, they're hard to track down from an efficiency standpoint. We're looking to be much more efficient with our clinical resources, our staff, our clinical staff is there a way that the tools are able to identify these devices a lot easier so that we can help our clinical staff to be more efficient.
Yeah I definitely think the tools allow us to know more from a technical perspective where they are. Is it user friendly enough to have a nurse looking at the dashboard? Probably not yet, but I do think as these tools evolve, when you're running the scans and you find out that you have new devices that have just come onto your network where that network closet is the closest known access point or the closest known area, you can start determining where things are and how to track those things down. I don't think that was the really original intent and purpose of the tool, but because of the data that we have now that we didn't have before, now we can start to triangulate. Okay that device is actually in that physician's office because it's on this subnet and it's broadcasting to these access points. I can find this thing. Easier if I needed to, but it's not really it's not really ready for a nurse to go look and say, oh, it's in that closet.
It's in that closet. But, one of the things you mentioned earlier was patches and fixes and keeping these devices current talk about how a tool like order is addressing that challenge for, for cook children's.
I would say the first step to recovery is knowing you have a problem. And so. One of the really cool things that we learned. We ran the scan. We learned about all of the 20,000 devices that we have on the network, which is not only medical devices, but think about facility systems like air conditioning and parking garage gates and those types of things.
So you can start categorizing devices based on the types of devices they are. And then the other nice thing is. Typically when we buy piece of medical equipment, we don't get a bill of materials that says it has this operating system. It has this firmware, it has this thing. The tool actually tells us that now.
So when we run the scan, we can see, oh, this is on a Windows 7 box. It's got this firmware installed. And so we can be more targeted. And how do we update those devices? Just by looking at the tool, whereas before we'd have to go out and kind of call the vendor what's what's in the what's in the device. Sometimes they would tell you sometimes they wouldn't so I think it, it just gives us a lot more visibility than what we had before.
Greg, I was talking to CIO the other day and he was talking about how a health system was compromised from the I believe it was the HVAC system. That essentially got 'em in, got 'em onto the network. And that was the entry point. And then now, obviously there was some security controls missing that they were able to move laterally, but, that's what the attackers are looking for. Isn't it? That they're just looking for that entry point to get onto the wire.
that's absolutely right. And when you, you think about the, that the problem, the challenge, I think it's very important to frame it. This is not just about the medical devices and the clinical devices. And those may be the, the obvious ones that when you think about protecting the healthcare environment and protecting patient safety that you wanna focus on, but you're right.
If someone can get in whatever the worst data point or wherever the. Most vulnerable device on the network is going to be the way the, the attackers get in. And very often that's not through the medical devices themselves. It's through an employee downloading something off of the internet it's off of some other vulnerable device.
And so it's really critical to think about how we do implement controls to make sure that it's not possible to move laterally once a once the intruders have gotten into one system to move and take down the critical hospital. systems
Hey bill, I kind of have a cool story around that. So when we ran, if cool in a geeky way, I guess, so when we ran our scan, we actually found one of our parking lot gate systems, so you pull up to the parking lot. You scan in the gate, goes up. When we ran the tool, it showed that that gate system was on an outdated operating system and it actually had malware. On that particular install. And so we were able to mitigate that before it was able to spread into the network.
And so we wouldn't have known that had we not run the tool because the tool pointed that out to us. So it's kind of a, it can find things for you that you may not expect. And then we were able to fix our parking lot gate issue, but that, that was one of the huge benefits of the tool.
Did you know, the CIO was in charge of parking lot gates.
I did not, but I am now . Yeah, because this is where, the stuff where you get voluntold,
Yeah. Everything we buy now has an IP address and some sort of it's communicating with something either. Yeah. And for good re that parking lot gate is probably communicating for good reason.
There's security reasons to know when it's going up and down and what's going on and when it's broken and those kind of things Greg, what's it, what's it look like to engage order? Do you guys have like a process where you come out and scan everything and then say, Hey, here's what you got? Do you wanna buy it? Or do you engage through service providers? How does somebody engage with order.
absolutely. We, typically engage with customers directly, but also through our partners. And very often the engagement will start with a proof of value understand, come in and show what's in the environment to illustrate how this solution can go and identify and classify devices highlight their vulnerabilities to Teresa's point illuminate for you, what type of what software versions are running on all of those devices. And then from there engage in a conversation with the customer about how they would then take that information and translate into action.
That, that to me is the, the really critical thing is it's not enough just to say, okay, now you're aware that you you've got a problem. The question. Well, what can you do about it? In some cases that's gonna be these devices can be patched. In other cases, it's no patches available or the manufacturer won't actually let you, patch the device without invalidating the warranty.
And so you need to have other tools in other to set your disposal, like segmenting the network and isolating those devices to, to protect them.
Yeah. So Theresa, we'll give you. the exit question here, and it is talk about ongoing with this tool. So the 20,000 devices, what's it look like to interact with this tool on a daily basis? And what, what value is it bringing to cook children's
yeah, the way we're using the tool today is really to prioritize work and spend like, so we look at the medical devices that probably have the largest footprint of things that need to be addressed. So our first task was we used the tool to eliminate pretty much all windows seven windows NT from our environment. I think we're down to like two medical devices that are still on a windows, NT,
windows nT. Are you sure? No. Windows 95.
No, no, these two are in like this crown jewels of NT. And so, and the manufacturer we've had lots of discussions and they don't intend to change that. So we're in the process of budgeting and looking for a new replacement for that particular tool. And so we're really using it to prioritize how do we correct things. And then we're also using it to find new things because physicians, people buy things and then they show up on the network. You're like, we've never seen this before. And so we're, that allows us to then start addressing some of those security concerns a lot earlier then hopeful and we can correct the process where people are buying things that we weren't aware.
We're gonna show up. And so we really use it more as a planning tool and scanning and just proactively, how do we address issues before they get to be bigger issues in the future?
Well, fantastic. By the way, I appreciate your work on security and the work that you did there. And hopefully we'll see the manufacturers. Start to get to more I don't know, standardized approaches to security, security frameworks around devices and those kind of things. But in the meantime, we absolutely need to be vigilant in this area. So I appreciate the work you're doing at cook children's and Greg really appreciate the tool and set of services you guys are bringing to the industry to keep visibility on this challenging topic.
Yeah, thanks bill.
Appreciate it. Thank you 📍 so much.
What a great conversation with Theresa Meadows of cook children's she's been on the show a couple of times and is a great friend, always wonderful to catch up with her and Greg Murphy, CEO of order. Great to have him on the show and introduce him to our community. There's a lot of stuff going on in this space and moving care from the facility to the home and the security ramifications around that medical devices are just hard to manage, and it's always great to have frontline solutions that are working for health systems. So interesting conversation, hope you appreciated it. And we look forward to bringing more of this content to you. We wanna thank our sponsors, serious healthcare, a CDW company, and order for making this content possible and giving us the opportunity to deliver on our mission, to develop the next generation of health leaders. Thanks for listening. That's all for now.