The "Biomedical Device" Security Nightmare at Hospitals. How should IT Manage this

Duration: 60 Minutes
Instructor: Feisal Nanji
Webinar Id: 800207


One Attendee


Biomedical devices and especially those devices connected to IT networks are not going away. We live in a networked world, where one application or device needs to communicate with many upstream or downstream devices and applications to deliver safe care. We must consider biomedical devices to be an integral part of our information infrastructures and therefore we must permit and nurture their security. Doing this in a clear, uncluttered and stepwise fashion is the right start for most US hospitals today. We cannot and should not ignore this threat to patient safety.

With massive IT and security risks posed by medical devices to Hospital IT infrastructures, what should security practitioners do?

Why Should You Attend: Biomedical devices in contemporary hospitals and other care delivery environment are necessarily ubiquitous. They are instrumental for delivering excellent health care. A 400 bed hospital may have over 5000 such devices, many of which required network connectivity to report results to a downstream piece of software, or for remote IT management. There are a staggering variety of biomedical devices types ranging from cytometers, infusion pumps, to heart rate monitors and resuscitators.

For IT security practitioners such devices are often a bane. For various reasons, including unclear regulatory direction, many biomedical devices use outdated operating systems that run applications built with inadequate software security. As a result these devices are ripe for attack by viruses, worms and other forms of malware. Perhaps most disturbingly, most of these connected devices in hospitals hang off the core IT network.

In most hospitals, a virus infiltrating, say an old infusion pump running an unpatched version of Windows 2000 can propagate like wildfire, bringing the main hospital network to a crawl or even fully disabling it. Another example of a security hole is the use of an "unsecured" or poorly secured wireless connection that is easily exploitable by an attacker with rudimentary wireless hacking equipment. This has a huge bearing on "Patient Safety"

The ramifications for a hospital are tremendous. Information is the lifeblood of modern hospitals - from admitting, to billing, to labs, and diagnostic machines to electronic medical record repositories, a modern hospital cannot function without reliable and secure information technology. Biomedical devices cannot remain an "Achilles Heel".

Areas Covered in the Session:

  • Discuss the explosive growth of the use of "connected" Biomedical devices and its implications on patient safety.
  • Present the range of problems we normally find with managing and integrating biomedical devices in contemporary Hospital IT infrastructures.
  • Discuss the Medical Device Data System (MDDS) rule published by the Food and Drug Administration, proposed new FDA directions and the impact on HIPAA security adherence.
  • Discuss appropriate risk management and governance structures for managing biomedical devices at institutions of various sizes. This includes an overview of standards such as the IEC 80001 and their need for widespread adoption.
  • Discuss the need for the formation of cross disciplinary teams to identify problems and issues before they occur.
  • Offer insights for acquiring, installing and managing biomedical devices securely.
  • Offer insights into appropriate network designs for Hospitals as biomedical devices proliferate.
  • Shed light on optimizing vendor management and agreements.
  • Discuss how to regulatory meet requirements through adoption of standards and processes that actually improves patient safety.

Who Will Benefit:
  • Chief Medical Officers at Hospitals and Academic Medical Centers
  • CIOs at Hospitals and Academic Medical Centers
  • Clinical Engineering managers at Hospitals and Academic Medical Centers

Educational Objectives(S)
Upon completion of this activity, participants will be able to:
  • Explain the risks posed by medical devices to hospital infrastructure and how to manage them securely.

CME Credit Statement
This activity has been planned and implemented in accordance with the Essential Areas and Policies of the Accreditation Council for Continuing Medical Education (ACCME) through the joint sponsorship of CFMC and MentorHealth. CFMC is accredited by the ACCME to provide continuing medical education for physicians.

CFMC designates this educational activity for a maximum of 1 AMA PRA Category 1 Creditâ„¢. Physicians should only claim credit commensurate with the extent of their participation in the activity.

Other Healthcare Professionals Credit Statement
This educational activity has been planned and implemented following the administrative and educational design criteria required for certification of health care professions continuing education credits. Registrants attending this activity may submit their certificate along with a copy of the course content to their professional organizations or state licensing agencies for recognition for 1 hour.

Disclosure Statement
It is the policy of CFMC and MentorHealth that the faculty discloses real or apparent conflicts of interest relating to the topics of the educational activity. All members of the faculty and planning team have nothing to disclose nor do they have any vested interests or affiliations

Obtaining Certificate of Credit

Colorado Foundation for Medical Care (CFMC) hosts an online activity evaluation system, certificate and outcomes measurement process. Following the activity, you must link to CFMC's online site (link below) to complete the evaluation form in order to receive your certificate of credit. Once the evaluation form is complete and submitted, you will be automatically sent a copy of your certificate via email. Please note, participants must attend the entire activity to receive all types of credit. Continuing Education evaluation and request for certificates will be accepted up to 60 days post activity date. CFMC will keep a record of attendance on file for 6 years.

Speaker Profile
Mr. Nanji is the Executive Director at Techumen. He has extensive experience in developing and creating security programs for health, financial services, and core infrastructure clients. Overall, Feisal has over 20 years of experience in technology strategy and information security. Feisal was with Ernst & Young from 2003 – 2008. At Ernst & Young, Feisal led the National Application Security service line. While there, Feisal led a team to analyze and help remediate application and network security weaknesses for a Health Provider with an installed base of three million Electronic Health Records (EHR).

This is perhaps the largest private (non-governmental) installation of an EHR system in America. Feisal holds degrees from Harvard University and the University of Notre Dame. He has held the accreditation of Certified Information Security Systems Professional (CISSP) since 2003.

You Recently Viewed