Mortality, Mayhem and You: Risk Management in Digital Health

Similar documents
Security and Privacy Governance Program Guidelines

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

HIPAA Compliance is not a Cybersecurity Strategy

FDA & Medical Device Cybersecurity

Supporting the Cloud Transformation of Agencies across the Public Sector

a publication of the health care compliance association MARCH 2018

Telehealth Workforce Offers Unique Competencies & Opportunities #245, February 23, 2017 Jay Weems, Vice-President, Operations, Avera ecare

The Next Frontier in Medical Device Security

Medical Device Cybersecurity: FDA Perspective

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Healthcare in the Public Cloud DIY vs. Managed Services

Cyber Risk and Networked Medical Devices

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

SERVICE OPERATION ITIL INTERMEDIATE TRAINING & CERTIFICATION

Vocera Secure Texting 2.1 FAQ

Health Information Technology - Supporting Joint Readiness

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

Featured Articles II Security Platforms Hitachi s Security Solution Platforms for Social Infrastructure

HIPAA Compliance and OBS Online Backup

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Transform Health IT with Enterprise Cloud technologies Session 178, Feb 22, 2017, 11:30 am EST

Healthcare Security Success Story

HIPAA Security and Privacy Policies & Procedures

HEALTHCARE IT NETWORK SURVEY REPORT

Sage Data Security Services Directory

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

TEL2813/IS2820 Security Management

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Accelerating Digital Transformation

Why the Threat of Downtime Should Be Keeping You Up at Night

Horizon Health Care, Inc.

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Diabetes Technology Society

Information Security Governance and IT Governance

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

The Data Center is Dead Long Live the Virtual Data Center

St. Joseph s General Hospital LOCKDOWN EMERGENCY RESPONSE PLAN

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

How to Become a DATA GOVERNANCE EXPERT

Security-as-a-Service: The Future of Security Management

MT-PGN-01 Part of NTW(O)52 - Mobile Technology Policy for Service Users and Visitors

SERVICE TRANSITION ITIL INTERMEDIATE TRAINING & CERTIFICATION

Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions

MNsure Privacy Program Strategic Plan FY

Continuity of Operations During Disasters: Electronic Systems and Medical Records

Not Just Another Day of HIPAA

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

COBIT 5 Implementation

Exempla Healthcare Case Study. Challenge. Solution. Benefits. 75% reduced investigation time 20% reduced up-front costs Doubled productivity

SAFE USE OF MOBILE PHONES AT WORK POLICY

Use Case Study: Reducing Patient No-Shows. Geisinger Health System Central and Northeastern Pennsylvania

Managing complexity and rapid change in 2019

DETAILED POLICY STATEMENT

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

Next Generation Policy & Compliance

5 Things to Know About Certification

ISO9001:2015 LEAD IMPLEMENTER & LEAD AUDITOR

What is ISO/IEC 27001?

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

IT Governance Framework at KIT

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Digital Service Management (DSM)

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

The New Healthcare Economy is rising up

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

PULSE TAKING THE PHYSICIAN S

SOC for cybersecurity

The Role of Data Profiling In Health Analytics

CYBER RISK MANAGEMENT

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Spring CISM 3330 Section 01D (crn: # 10300) Monday & Wednesday Classroom Miller 2329 Syllabus revision: #

Accelerate Your Enterprise Private Cloud Initiative

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

2018 CANADIAN ELECTRICAL CODE UPDATE TRAINING PROVIDER PROGRAM Guidelines

State of Cloud Survey GERMANY FINDINGS

Executive Insights. Protecting data, securing systems

COURSE BROCHURE. ITIL - Intermediate Service Transition. Training & Certification

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Managing Trust in e-health with Federated Identity Management

Incident Response Table Tops

Getting Security Right: The CISO of the Future

HIPAA Compliance Checklist

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

Integrated Access Management Solutions. Access Televentures

2016 Survey: A Pulse on Mobility in Healthcare

building a security culture to counter emerging cybersecurity threats

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Use Of Mobile Communication Devices Within Healthcare Premises Policy

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

Disaster recovery planning for health care data and HIPAA compliance regulations

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Security Management Models And Practices Feb 5, 2008

Transcription:

Mortality, Mayhem and You: Risk Management in Digital Health Session #155, February 22, 2017 Todd Cooper, Exec. Director, Trusted Solutions Foundry Nicholas J. Mankovich, VP & CISO, BD Philip Raymond, Dir. Center of Excellence for Wireless Competency, Philips Healthcare 1

Speaker Introduction Todd Cooper Exec. Director Trusted Solutions Foundry Nick Mankovich, M.S., Ph.D., CIPP VP & CISO BD Phil Raymond, Director Center of Excellence for Wireless Competency Philips Healthcare 2

Conflict of Interest Todd Cooper, Trusted Solutions Foundry Nicholas J. Mankovich, BD Philip Raymond, Philips Healthcare Have no real or apparent conflicts of interest to report. 3

Learning Objectives Describe how standards risk management promotes health IT system safety, effectiveness and security Illustrate how 80001 enables cooperation and coordination around safety, security and effectiveness Explain the value proposition for healthcare organizations in adopting the 80001 risk management framework for Medical IT networks as a component of their broader Enterprise Risk Management 4

Realizing the Value of Health IT via Risk Management of Networked Medical Technology Establishing a comprehensive risk management capability in your organization provides value at all levels: Satisfaction Technology works as expected, when needed reducing frustration, increasing care quality and increasing overall confidence in connected healthcare technology. Treatment/ Clinical Care quality is improved by connected healthcare technology providing the expected functionality when needed. Electronic Information/Data Information needed to provide care is available when needed, without information quality and availability challenges. Patient Engagement / Population Management Clinicians and patients can better engage when connected healthcare technology performs as expected, and is not a distraction and frustration factor. Savings Increasing reliability and up time reduces the cost of managing and maintaining connected healthcare technology. 5

Mortality, Mayhem and You: Risk Management in Digital Health Tale of Two Futures A play in two acts Act 1: Mayhem Rules the Day Act 2: Calmness Business as Usual Cast: Hospital: CIO, Clinical Engineering / Biomedical Engineering Lead (CE), Medical IT Network Risk Manager (MITnet RM) ICU Telemetry Vendor: Account Manager, Emergency Support Others to be announced later! 6

Act 1: Mayhem Rules the Day Setting Late Saturday night, the Clinical Engineer s phone rings: Telemetry network is down! 2 hours later, Telemetry at another facility is down!!! We re under attack! All hands on deck! {confusion results} Behind the Curtain IT hired an external consultant to perform security vulnerability testing across the hospital system s networks, without coordinating with those responsible for the networked devices and systems, nor realizing that medical technology often doesn t respond well to this testing! 7

Meeting #1 What s going on?! Scene: CIO calls a meeting Sunday morning at 07:00 with CE lead & telemetry vendor to figure out what is going on, increasingly losing confidence that anyone knows what is happening or has a plan to resolve the problems. This is becoming a catastrophe! CIO: CE/BME: Vendor: What s going on here? Why am I being called?! Ummmm well {confused responses to boss boss} I ll have to go back to engineering and see if they have any ideas 8

Meeting #2 Mortality Knocks Scene: CIO: CE/BME: Vendor: CIO calls a 2 nd meeting Sunday at 12:00 to follow-up What s the plan? {silence} Ummmm well {chaos finger pointing } This was probably caused by another vendor, or your wireless IT manager or other staff doing what we told you not to. CIO Conclusion: Clearly no one has a clue here. Don t talk to anyone. I ll have to call Legal and Public Relations, then I ll have to call the CEO. Someone could die. Even if no one is hurt, this could hurt our Level 1 accreditation. 9

Discussion Does this sound familiar? What should have been done? Who wore the White Hat and the Black Hat? 10

11 Note: 80001-1 being revised w/ new title, organization & wisdom

ISO/IEC 80001 The RESPONSIBLE ORGANIZATION TOP MANAGEMENT Roles & responsibilities ensure clear communication & coordination Defined policies, processes ensures an enterprise-wide risk management capability supports problem & event resolution + maintenance activities Approves MEDICAL IT- NETWORK RISK Risk MANAGEMENT Management FILE File Residual Risk Policies Processes Procedures Supervises creation of (IEC 80001-1:2010, Figure B.1) Provides input to Appoints Guide activities of MEDICAL IT-NETWORK RISK MANAGER Provides input to Provides experts to Provides experts to Provides experts to Provides experts to Provides input to Clinical Area of expertise Biomedical Engineering area of expertise IT area of expertise Other... 12 Medical device manufacturer or provider of other IT technology A Medical device manufacturer or provider of other IT technology B Subcontractor

Act 2: Calmness Business as Usual Setting (deviating from the actual event) Late Saturday night the Medical IT Network Risk Manager s phone rings patient telemetry is down at one of the facilities. As there was no scheduled testing, he notifies the emergency response team. They use established documentation & tooling to begin assessing the problem. Behind the Curtain Hospital implemented 1 st level of 80001 in a project two years earlier Networked medical technology is now risk managed, in accordance with established policies, processes & procedures; responsibility agreements in place with vendors Effective and consistent communication & coordination between stakeholders, including CE, health IT, clinicians, audit & compliance, purchasing, etc. 13

1 st Meeting Managing the Event Scene: CIO: MITnet RM: Vendor: In accordance with policy and procedure, the Medical IT Network Manager notifies the CIO that a security event has been detected and is being assessed. The CIO calls a meeting Sunday morning at 07:00 with the MITnet RM, telemetry vendor and other primary stakeholders to get an update on the assessment and resolution plan. What s going on here? Do we know the problem and have a plan? Yes, we invoked the emergency response process, the team is engaged and assessing the problem, no patients are in danger, and we should have a resolution plan in a few hours. We are working with your team to determine the source of the problem 14

2 nd Meeting Rational Minds Prevail Scene: CIO calls a 2 nd meeting Monday morning at 09:00 to follow-up CIO: CE/BME: What s the plan? {silence} We completed the assessment and determined that a zero day vulnerability in a medical system hosted in the Data Center caused a local network IP storm. We are working on the Data Center problem with the other vendor. However, we have invoked the back-to-local scenario and telemetry is up and running on the local server (isolated but HIS vendor is informed of data stoppage). Vendor: We are working with the MITnet RM team in the data center but clinical telemetry is fully operational. CIO Conclusion: We didn t know about this zero-day problem but we were prepared and everyone responded well. I have full confidence in this team! Let me know if there are any other issues. 15

Conclusions Stuff happens every day but establishing a foundation of 80001-based of risk managed healthcare technology enables an enterprise to address routine changes + event & problem resolution as biz-as-usual Balancing between safety, effectiveness and security is crucial to ensure medical technology will meet user needs when needed Effective communication and coordination between all stakeholders breaking down inter- and intra-organizational silos - is a key benefit of 80001 Integrating 80001 as a component of an enterprise health IT risk management process ensures that networked medical technology will perform safely, effectively and securely improving quality and savings 16

Parts of this vignette and more is included in this AAMI white paper. ISO/IEC 80001 standards, guidance and training are available from www.aami.org 17

Realizing the Value of Health IT via Risk Management of Networked Medical Technology Establishing a comprehensive, enterprisewide risk management capability will ensure that an organization s investment in health IT including integrated medical technology will perform as expected, safely and securely. This will result in improved satisfaction on the part of all involved, improved clinical quality, improved security, improved patient satisfaction and ultimately improved savings due to lower ownership costs. 18

Questions Contact us at: Todd Cooper Nick Mankovich Phil Raymond Todd@TrustedSolutionsFoundry.com Nick.Mankovich@bd.com phillip.raymond@philips.com Don t forget: Complete the online session evaluation! 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback