With the number of connected devices steadily increasing, health systems and hospitals need a robust plan to ensure they have the devices they need while also guarding against security threats. Below, we’ll cover 7 critical steps for device deployment in the healthcare industry.
1 – Develop a thorough vendor management program
Before anything, understand your vendors’ risk management program, vulnerability management, and support of any underlying operating systems or applications. This will allow you to make a decision upfront whether to use these connected devices to handle data.
A study of 1.2 million Internet of Things (IoT) devices in healthcare and other enterprises found that fifty-six percent of imaging devices run on Win 7, which gets limited support and patching from Microsoft, and another 27% of these devices run on the long-dead Windows XP, as well as old and decommissioned versions of Linux, Unix, Windows, and other embedded software.
2 – Ensure data is properly managed
Keep the services and connectivity of your selected devices to an absolute minimum and install firewalls and other network-based protection as needed on mobile endpoints.
The numbers revealed by a new Bitglass study are eye-popping; an increase of cyberattacks of over 55% in 2020, with an estimated impact to the protected health information (PHI) of some 26 million people in the United States.
3 – Create a secure technology infrastructure
Monitor for vulnerabilities at all levels (operating system, database, application, supporting libraries, code and interfaces) and review for any anomalies in data or system activity. Reduce the risks to your electronic medical records by putting all incoming data through a well-tested supporting infrastructure first.
“The challenge is in identifying all of your organization’s vulnerable infrastructure and developing a plan for how to secure it. No one is thinking about a CT scanner or an MRI machine and seeing a launchpad for a broader attack.” – Anthony James, TRAPX
4 – Educate your organization around proper device usage
Develop a comprehensive training program for device usage across the organization. Train and retrain end-users so they know your organization’s policies. Ensure that your device deployment team can answer potential questions and work with end-users to update and monitor usage.
5 – Implement an activity review process
Review your users’ device activity on a regular basis, ensuring periodic necessary updates to usage and security policies. Such a process must also include administrators, and anyone else who has access to system data, so a data breach doesn’t occur.
6 – Understand the scope of work and your available budget
As with any technology rollout, considering cost is necessary. Who is going to get these devices and how will they be managed? Factor in enough budget to ensure the availability of resources to review devices and infrastructure, continually assess risk from all threat vectors, and answer end-user questions.
7 – Develop an IT staffing plan
Device deployments often require significant oversight from IT. While many vendors claim that their tools require less maintenance or have the ability to maintain thousands of devices without dedicating full-time staff; that simply is not true for devices containing protected health information. The HIPAA Security Rule requires regular review of user activity on systems containing PHI and so your IT staff needs to be properly supported to ensure a successful device rollout.