HealthcareTechnology Management& CybersecurityCollaboration MikeBusdicker,SystemDirectorofClinicalEngineering PriyankaUpendra,ComplianceManagerofClinicalEngineering ShawnAnderson,SeniorCybersecurityAnalyst AboutIntermountainHealthcare AnIntegratedDeliveryNetworkwithaTraditionofInnovation Helping people live the healthiest lives possible 38,000 Employees $2B Non-laborspend BasedinSalt LakeCity,Utah Hospitals • 1975Beginning • 22Hospitals • 2,800Licensed Beds ® Health Plans Medical Group • 1983Started • SelectHealth • 900,000 members • 25%ofUtah market • 1994Started • 1,400employed physicians • 4,000affiliated physicians • 185+clinics Continuum of Care • TeleHealth • Homecare • LifeFlight • Centrallab • Central pharmacy • Clinical Engineering Intalere • 1986Started • 2015Ownership • Commercial platform • $8BSpendGPO HelpingPeopleLiveThe HealthiestLivesPossible® It’sAboutPatientSafety,NotCybersecurity! Wouldyou rather... EstablishingEffective Processes MedicalDeviceCybersecurityManagement ThisisaProcess... Right? DeviceDiscovered Whodoesit belongto? Have Information? ContractInfo? Privacy Involved? Security Involved? UNKNOWN UNKNOWN UNKNOWN UNKNOWN UNKNOWN Someoneneedstofindout BuildingEffectiveProcessesthroughGreaterCollaboration • • • • EffectivecollaborationstartswithSupplyChain. Askyoursubjectmatterexpertshowtheirprocesseswork. CollaboratewithITtounderstandsecurityprocesses. Keepanopenmindaboutwaysinwhichprocessescanimprove. DeviceRequested SupplyChainProcess Engage Cybersecurity EngageCompliance andPrivacy EngageLegal EngageIS Operations EngageClinical Engineering PrivacyContracts CompletedLegal Review Implementation Plan SupplyChainProcess EngageCompliance andPrivacy EngageClinical Engineering Engage Cybersecurity GatherDevice Information (MDS2) Completed PotentialRisk Assessment Cybersecurity Review Implementation Plan PrivacyContracts Control Requirements CollaborationWorks BreakingDownBarriers CybersecurityisaMulti-DisciplinaryTask • Centraldepotclinicalengineersobtaincybersecuritydocumentation fromMedicalDeviceManufacturers(MDMs). • InformationisthendocumentedinPolestar. • Recommendationsforsecuritycontrolsaredevelopedwithamultidisciplinaryworkgroup. • TheserecommendationsarerecordedaspartofthePMworkordersin theCMMS. • Thisisacontinuousimprovementprocess. ImmediateBenefitsofHTM- CybersecurityCollaboration Greatervisibilityintotheinnerworkingsofclinicalengineering Breakingdownthe“mystery”ofcybersecurity FreeingupCybersecurityresources Bringingmedicalequipmentintoscopefortechnicalvulnerability scanningandassessment • Wegetfreelunchwhenwe“happentobearound”duringClinical Engineeringteam- buildingevents • • • • BenefitsofInformationSharingacrosstheIndustry • • • • CollaborationwithNH-ISACandMDISS CentralizedMDS2repository Coordinatedscanningoperations Coordinatedriskmanagement o StandardizedapproachtoMDM-HDOcollaboration • Coordinatedvulnerabilitydisclosure • Centralizedreferencelibrary • Sharingbestpractices USGOVCyber&InformationSecurityEngineeringReferences a) PresidentialPolicyDirective/PPD-21CriticalInfrastructureSecurityandResilienceissuedFebruary12,2013. b) ExecutiveOrder(EO)13636ImprovingCriticalInfrastructureSecurity,FederalRegisterissuedFebruary19,2013. c) GuidanceforIndustry,FDAReviewersandComplianceonOff-The-ShelfSoftwareUseinMedicalDevices,U.S. DepartmentofHealthandHumanServices, FoodandDrugAdministration,CenterforDevicesandRadiological Health,OfficeofCompliance,OfficeofDeviceEvaluationissuedSeptember9,1999. d) GuidanceforIndustryCybersecurityforNetworkedMedicalDevicesContainingOff-the-Shelf(OTS)Softwareissued January14,2005. e) ContentofPremarketSubmissionsforManagementofCybersecurityinMedicalDevices,GuidanceforIndustryand FoodandDrugAdministrationStaffissuedOctober2,2014. f) InfusionPumpsTotalProductLifeCycleGuidanceforIndustryandFDAStaffissuedDecember2,2014. g) PostmarketManagementofCybersecurityinMedicalDevices,DraftGuidanceforIndustryandFoodandDrug AdministrationStaffissuedonJanuary22,2016. h) Updatedrecommendationsonsubmittinganew510(k)fordevicemodificationsAugust5,2016. i) DecidingWhentoSubmita510KforasoftwarechangetoanexistingdeviceissuedAugust8,2016. j) PostMarketManagementofCybersecurityinMedicalDevicesGuidanceforIndustryandFoodandDrug AdministrationStaffDocumentissuedonDecember28,2016. Credits:BillHagestad,PrincipalCybersecurityEngineer,SmithsMedical USGOVCyber&InformationSecurityEngineeringReferences a) AAMITIR57/Ed.1,PrinciplesforMedicalDeviceInformationSecurityRiskManagementdatedJune9,2016. b) IEC80001-1:2010ApplicationofRiskManagementforIT-NetworksIncorporatingMedicalDevices-- Part1:Roles, ResponsibilitiesandActivities. c) ISO/IEC27005:2011providesguidelinesforInformationSecurityRiskManagement. d) ISO/IEC15408-31999-12-01InformationTechnology— SecurityTechniques— EvaluationCriteriaforITSecurity— Part3:SecurityAssuranceRequirements. e) ISO/IEC14971RiskManagementforMedicalDeviceManufacturers. f) ISO/IEC29147VulnerabilityDisclosureProcess. g) ISO/IEC30111VulnerabilityHandlingProcesses. h) RFC2196SiteSecurityHandbookSeptember1994. i) IECTS62443-1-1:2009IndustrialCommunicationNetworks- NetworkandSystemSecurity- Part1-1:Terminology, ConceptsandModels. j) IECTS62443-2-1:2009NISTCybersecurityFrameworkCore:InformativeReferenceStandards. k) IECTR62443-2-3:2015SecurityforIndustrialAutomationandControlSystems- Part2-3:PatchManagementinthe IACSEnvironment. Credits:BillHagestad,PrincipalCybersecurityEngineer,SmithsMedical MikeBusdicker MikeBusdickeristheSystemDirectorofClinicalEngineering SupportServicesatIntermountainHealthcare. MikestartedhishealthcarecareerwiththeUnitedStatesAirForceasa1983graduateoftheDoD BiomedicalEquipmentRepairSchool.Histotalmilitaryserviceincludedsevenyearsofactivedutyand20 yearswiththeWisconsinAirNationalGuard.DuringhismilitarytimeheservedasaBiomedicalTechnician, FirstSergeant,andHumanResourceAdvisor,completedanoperationaldeploymenttoIraq,andachieved thehighestenlistedrankofChiefMasterSergeant. MikereceivedhisBachelor'sandMaster’sDegreeinBusinessfromBakerCollegeinFlint,Michigan.Priorto hisemploymentwithIntermountainhehasheldleadershippositionswithServiceMasterManagement Services,AramarkClinicalTechnologyServices,TriMedxHealthcareServices,andAlexianBrothers HealthcareSystem.MikeisanactivememberofAAMI,ACHE,UHE,HIMSS,andisamemberoftheAAMI TechnologyManagementCouncil. ShawnAnderson ShawnAndersonisaSeniorInformationSystemsSecurityAnalystonIntermountainHealthcare’s CybersecurityArchitectureteam. ShawnworkedforaUtahbasedcompanyasanetworkandsystemsadministratorforover13yearsbefore joiningIntermountainasanInformationSystemsSecurityAnalystin2013.HereceivedhisBachelor’sin InformationTechnologywithanemphasisonSecurityandForensicsfromUtahValleyUniversityinUtah. ShawnisaCertifiedInformationSystemsAuditor(CISA)andHealthcareInformationSecurityandPrivacy Professional(HCISSP).ShawnisanactivememberofHIMSS,ISC2,ISACA,Utah’slocalchapterofInfragrad, NH-ISAC,andMDSISC. PriyankaUpendra Priyanka(Priya)UpendrastartedworkingwithIntermountaininJuly2016.Priortoemploymentat Intermountain,PriyaworkedasaclinicalengineerandclinicaltechnologyanalystatStanfordChildren’s HealthandStanfordHealthCare,severalengineeringinternshipsatSantaClaraValleyMedicalCenter, StanfordHealthCareandStanfordChildren’sHealth.Sheworkedasabiomedicalengineeringresearcherat StanfordUniversitypriortohercareerinHTM.BeforecomingtotheUnitedStates,Priyaworkedasa biomedicalresearcherwithGEEdisonEngineeringDevelopmentProgram(EEDP)andasaseniorbiomedical researcheratPhilipsHealthcareinBangalore,India. PriyaservesasaresearchandtechnicalresourcefortheSeniorDesignTaskForceandAlumniRelationsat SanJoseStateUniversityandCurriculumDesign&DevelopmentatB.M.SCollegeofEngineeringinIndia. ShereceivedherBachelorsofEngineeringfromB.M.SCollegeofEngineeringinIndiaandMaster’sin EngineeringfromSanJoseStateUniversity,California.PriyankaisanactivememberofAAMI,ACHE,META, BMES,ACCE,MWHTA,MDSISC,andisamemberoftheACCEAdvocacyCommittee,AAMIMedical EquipmentManagementCommittee,andBI&TEditorialBoard.
© Copyright 2025 Paperzz