HTM Discussion Group

Combining Risk Management Clinical/physical with Cyber

  • 1.  Combining Risk Management Clinical/physical with Cyber

    Posted 08-29-2018 15:36

    I wanted to pole the industry to see what areas have incorporated cyber risk into their "traditional equipment risk management process" for their Equipment Management Plans and what challenges did you face integrating the two.

    Thanks in advance,

    Dan Johnson CBET


  • 2.  RE: Combining Risk Management Clinical/physical with Cyber

    Posted 08-30-2018 10:51

    There are some great HTM articles recently published on cybersecurity risk management of medical devices and the recent professional meetings, including the AAMI Exchange (formerly AAMI Annual Conference) and MD Expo have had a plethora of educational offerings on the subject matter.

    The first and easiest place to start is with the healthcare technology management team.  The team must understand the importance of an accurate and complete device inventory and the device history file.  This inventory MUST include all aspects of the medical device in the inventory, INCLUDING the network connectivity aspects and its exposure/security.  The PHI of the patients you serve and the business intelligence of your employer are things that MUST be protected.  So educate the team and ensure they completely understand the value of your CMMS inventory and its completeness.

    That's a great segway into the CMMS (your computerized maintenance management software).  Make sure you select a great partner for your CMMS product.  Ensure the inter-relational aspects of the database will meet your needs.  In this case, does your CMMS have a comprehensive file for data surrounding the computing aspects of your devices.  Notice I said computer aspects of the devices in the inventory.  Please be cognizant, that even for devices that DO NOT connect to the network, you and your team MUST be focused on protecting any identifiable patient data or company intellectual property that might be contained on a non-networked device.  Can someone (employee, visitor or patient) walk up to a device and "steal" the data and place that data on the web or sell it for nefarious reasons?

    Any strategies you employ should be part of a multi-disciplinary team.  Your IT team, in this case, your Chief Information Security Officer and that IT team, should be engaged with your strategies so you are all working from the "same sheet of music," so to speak.  Software and physical controls should be and must be part of any solution.  Who has VPN access to your medical devices?  How do those OEM's or other vendors, who you provided VPN access to your network, handle employees who quit or are fired?  Do you have a copy of their HR policy and do you need to make changes to that policy based on your specific needs/requirements for your network?  I think this area of VPN access is an often overlooked area of vulnerability.  For VPN access to medical devices, you must be engaged as the HTM professional.  Make sure you list the specific vendor employees who have VPN access in your CMMS product.  Update it regularly.

    The challenges to implementation is lack of administrative support, lack of funding solutions, animosity between or the lack of team building for that necessary interdisciplinary team, lack of the HTM team to understand that these strategies MUST be embraced and acted upon, a terrible CMMS product, computer networking ignorance of the HTM team, laziness of the HTM team, not my job attitude, and probably a few more that I have not listed.  A great part of the success of a cybersecurity program for medical devices depends on the leadership and the communication.

    Hopefully, this is a good start to your polling...

    Chris Nowak, CBET, CHP, CSCS

  • 3.  RE: Combining Risk Management Clinical/physical with Cyber

    Posted 08-31-2018 12:20
    I'd like to riff on part of Chris' great guidance.

    In my current gig with IHE-PCD, co-sponsored by AAMI, ACCE and HIMSS, we're working on standards based medical device interoperability.
    One part of the project is Device Management, including all the IT related information.  Most of the major manufacturers
    are now able to provide medical equipment IT information (and a lot more) via HL7.  This means the latest software version,
    network address, etc.  All that's needed is for the CMMS to accept the info.

    The tools to implement this capability are open-source and free.  CMMS vendors just need to implement them, which requires
    HL7 capabilities.  One has done so, I think it would help all of you to have your vendors follow suit.  Why do manually the work
    that can be done automatically?


    Paul Sherman CCE FACCE
    Healthcare Technology Consulting
    Sherman Engineering LLC Healthcare Technology Consulting
    Saint Louis MO
    (314) 422-2688

  • 4.  RE: Combining Risk Management Clinical/physical with Cyber

    Posted 09-04-2018 09:50



    Thanks for the great work. Could you provide a link to any references we can share with our CMMS vendors to point them in the right direction?


    Barbara Maguire

    Vice President, Quality & Geisinger Clinical Engineering

    Office 570-214-0623 (note new office number)

    Cell 908-938-9532










  • 5.  RE: Combining Risk Management Clinical/physical with Cyber

    Posted 09-04-2018 12:51
    Thank you all for your input. I have been reading the NIST 800.37 Risk Management Framework (RMF) for Information Systems and Organizations, (

    Daniel Johnson CBET

  • 6.  RE: Combining Risk Management Clinical/physical with Cyber

    Posted 09-05-2018 09:55
    Ho Barb

    Absolutely, here are a few links to get them started:

    Our home page:  Patient Care Devices - IHE International
    IHE International remove preview
    Patient Care Devices - IHE International
    Technical Framework Public Comment Wiki Page The IHE Patient Care Device (PCD) domain was formed in 2005 to address the integration of medical devices into the healthcare enterprise, from the point-of-care to the EHR, potentially resulting in significant improvements in patient safety and quality of care.
    View this on IHE International >

    Our main wiki page:  Patient Care Device - IHE Wiki
    Ihe remove preview
    Patient Care Device - IHE Wiki
    IHE Patient Care Device domain is sponsored by the American College of Clinical Engineering (ACCE), the Health Information Management Systems Society (HIMSS), and the Association for the Advancement of Medical Instrumentation (AAMI). IHE PCD manages the development and maintenance of the PCD Profiles and the PCD_Technical_Framework.
    View this on Ihe >

    Our Google Group wiki - Anyone can join our Google groups, it's a great way to learn
    what's going on and ask questions:  IHE PCD Google Groups - IHE Wiki
    Ihe remove preview
    IHE PCD Google Groups - IHE Wiki
    The IHE Patient Care Devices Domain is using Google Groups to provide a convenient way to manage email lists and also to provide convenient web access to the archived history of emails related to the topical areas of the group.
    View this on Ihe >

    The Medical Equipment Management group meets on Fridays at 2PM EDT via webex.
    I'll be happy to share that info with anyone interested.

    Finally, feel free to share my contact info.  I'll answer, or steer to answers anyone's questions.

    Also, we really need more user input.  If anyone is interested in this project, please let me know.


    Paul Sherman CCE FACCE
    Technical Program Manager
    IHE - Patient Care Devices
    Sherman Engineering LLC Healthcare Technology Consulting
    Saint Louis MO
    (314) 422-2688