The "Biomedical Device" Security Nightmare at Hospitals. How should IT Manage this

Overview:

Biomedical devices and especially those devices connected to IT networks are not going away. We live in a networked world, where one application or device needs to communicate with many upstream or downstream devices and applications to deliver safe care. We must consider biomedical devices to be an integral part of our information infrastructures and therefore we must permit and nurture their security. Doing this in a clear, uncluttered and stepwise fashion is the right start for most US hospitals today. We cannot and should not ignore this threat to patient safety.

With massive IT and security risks posed by medical devices to Hospital IT infrastructures, what should security practitioners do?

Why Should You Attend: Biomedical devices in contemporary hospitals and other care delivery environment are necessarily ubiquitous. They are instrumental for delivering excellent health care. A 400 bed hospital may have over 5000 such devices, many of which required network connectivity to report results to a downstream piece of software, or for remote IT management. There are a staggering variety of biomedical devices types ranging from cytometers, infusion pumps, to heart rate monitors and resuscitators.

For IT security practitioners such devices are often a bane. For various reasons, including unclear regulatory direction, many biomedical devices use outdated operating systems that run applications built with inadequate software security. As a result these devices are ripe for attack by viruses, worms and other forms of malware. Perhaps most disturbingly, most of these connected devices in hospitals hang off the core IT network.

In most hospitals, a virus infiltrating, say an old infusion pump running an unpatched version of Windows 2000 can propagate like wildfire, bringing the main hospital network to a crawl or even fully disabling it. Another example of a security hole is the use of an "unsecured" or poorly secured wireless connection that is easily exploitable by an attacker with rudimentary wireless hacking equipment. This has a huge bearing on "Patient Safety"

The ramifications for a hospital are tremendous. Information is the lifeblood of modern hospitals - from admitting, to billing, to labs, and diagnostic machines to electronic medical record repositories, a modern hospital cannot function without reliable and secure information technology. Biomedical devices cannot remain an "Achilles Heel".

Areas Covered in the Session:

• Discuss the explosive growth of the use of "connected" Biomedical devices and its implications on patient safety.
• Present the range of problems we normally find with managing and integrating biomedical devices in contemporary Hospital IT infrastructures.
• Discuss the Medical Device Data System (MDDS) rule published by the Food and Drug Administration, proposed new FDA directions and the impact on HIPAA security adherence.
• Discuss appropriate risk management and governance structures for managing biomedical devices at institutions of various sizes. This includes an overview of standards such as the IEC 80001 and their need for widespread adoption.
• Discuss the need for the formation of cross disciplinary teams to identify problems and issues before they occur.
• Offer insights for acquiring, installing and managing biomedical devices securely.
• Offer insights into appropriate network designs for Hospitals as biomedical devices proliferate.
• Shed light on optimizing vendor management and agreements.
• Discuss how to regulatory meet requirements through adoption of standards and processes that actually improves patient safety.

• Chief Medical Officers at Hospitals and Academic Medical Centers
• CIOs at Hospitals and Academic Medical Centers
• Clinical Engineering managers at Hospitals and Academic Medical Centers