Tag Archives: facilities

Connected medical devices experts highlight IoT remote monitoring

BOSTON — Healthcare facilities can advance their patient care with IoT remote monitoring if manufacturers understand how to develop and use connected medical devices.

Medical IoT remote monitoring “will change the way you do service, the way your customers perceive you, not just you, but your products. They become reliant on the network of things that you provide them, not just the transaction,” said Anthony Moffa, senior director of ThingWorx IIoT Platform at PTC.

IoT remote monitoring gives manufacturers access to real-time information from the field that is unfiltered and unbiased, which they can use to secure and maintain connected medical devices. Devices can transmit data back to manufacturers on key performance indicators — such as power settings or the number of times a device was turned on and off — that they can use to improve connected medical devices. Engineers don’t have an easy time observing their devices in the field consistently, but anyone can sit in front of their laptop and see how devices perform, said Paul O’Connor, director of medical development at Boston Engineering.

Moffa and O’Connor were among the experts discussing considerations for connected medical device manufacturers during the panel “How to leverage IIoT to improve medical device innovation and user insights,” which was held on Dec. 10. It was hosted by Boston Engineering, the Massachusetts Medical Device Industry Council and PTC.

[Medical IoT remote monitoring] will change the way you do service, the way your customers perceive you, not just you, but your products.
Anthony Moffaenior director, ThingWorx IIoT Platform at PTC

Here is a rundown of the event’s expert advice on how to address problems before IoT development begins, how to secure medical devices and the importance of identifying the needs that remote monitoring connected medical devices can address.

How to get started with remote monitoring for medical IIoT devices

Organizations often introduce IoT remote monitoring for connected medical devices with the intent to improve their products and differentiate themselves from the competition. Remote monitoring with IoT might have to overcome resistance.

“Somebody has to own [the project] and you have to have coordination between all your team members, so service, marketing operations, the R&D side; they all have to work together. If they don’t, it’s going to be an uphill battle,” Moffa said.

During IoT remote monitoring, developers should try to answer several questions:

  • Do you really know how your customers are using the product?
  • What settings do they actually use?
  • What is the optimal proactive maintenance schedule?
  • Do the components perform in a way that meets their needs?
  • How has device use changed since introduction?
  • Is the product over-engineered?

Developers can now track the data to answer these questions from around the world and apply the real-time insights and feedback to the next generation of the product.

“Think of your own product line and what you want to know about how your products are being used. Think about what you need first versus how [IoT remote monitoring technology] can help me,” O’Connor said. “You can test for years and not actually get real-time data on a global basis.”

Organizations might also see resistance from their customers. IT pros could see connected medical devices and remote monitoring as a threat to network security. The manufacturers must show how the device will bring value to the hospital, show how it’s secure and why it won’t put the network at risk, Moffa said.

Connected products typically have some built-in security processes. For example, all IT pros must make sure to encrypt communications and safely pair devices. When devices have basic security measures, adding remote monitoring security for post-market surveillance is a low security risk, said Elizabeth Couture, security software engineer at Geisel Software. Hackers won’t be particularly interested in data about what the current pressure on a sensor is or what firmware the device is running, which is the data that a device manufacturer would want from IoT remote monitoring. When manufacturers have continued access to deployed devices, they can increase the security of the product through processing device data with behavioral analytics to pick out deviations from the normal device use.

Create a culture of security

For something to be secure, the whole team must secure the product, including different engineering and support groups when it’s developed, designed and implemented outside of the facility.

“[Medical IIoT device manufacturers] need to have a culture of security. Security is not a thing you do once and then you are done with it. And it’s not a thing that you can slap on the end of the finished product,” said Elizabeth Couture.

Most hacks today are caused when attackers find bugs in widely used software from trusted organizations that are implemented on devices, said Couture. The organization that made the software announces that they have a fix for the bug, which makes applying updates critical. Organizations must plan how to update devices in the field, otherwise they will have a security hole that the entire internet knows about.

Steps to tackle security challenges
Follow these steps to prepare for security challenges.

Organizations must apply layered security and not treat medical devices as if they exist in a lockbox that no hacker will ever break into. A malicious actor should not be able to command the medical IIoT device to do dangerous things or access any patient data. By the time a medical device passes all Food and Drug Administration procedures, it’s usually 15 years old, Couture said.

“I wouldn’t trust a 15-year-old computer to buy it off the shelf. You have to be so sure that everything is safe, and that means that we need to assume that something will go wrong in the future,” she said.

When dealing with a larger number of connected medical devices, it’s important to make sure that devices have an incredibly narrow application to secure the multitude of endpoints that consumable items represent, Couture said. IT pros might be tempted to be lax on security for consumer devices, but they must tighten restrictions to prevent malicious actors from accessing the whole network through a device.

The best way to restrict application use on a medical device is to have very strict controls on the API, Moffa said. Limit the ability to use the device connection to go onto other networks, because as soon as a device connects to multiple different networks, malicious actors have a larger surface area to initiate a potential attack, he said.

Another way that organizations can improve their device security is to have other IT pros attempt to hack it. Smaller organizations might have to hire an outside expert if they don’t have people internally who focus on cybersecurity. Even having someone from a different group in an internal team attempt to hack a device will uncover security holes, Couture said.

“People used to approach cybersecurity as if ‘I am the best at building walls. I will build this wall around the product and everything is safe because I’m really good at that.’ But nowadays it’s not just about building good walls, it’s about learning the skills that a hacker would actually use to attack a product and attacking your product,” she said.

Keep the customer in mind, no matter the use of remote monitoring

Remote monitoring with IoT starts with user needs and adds value for them, said Raj Sivakumar, global product director at Hologic. Remote monitoring can improve the reliability of technology. When organizations use IoT remote monitoring for predictive maintenance, field engineers can identify when a component is going to fail and replace it without any downtime. With analytical tools, medical device users can take advantage of the device utilization rates to understand if their team uses the devices optimally or if they need more training.

“By adding IoT to this environment you’re able to increase the throughput of your technicians, because you can do some things remotely. You might walk a customer through a workflow on a screen, rather than physically,” Moffa said.

The data provided through remote monitoring gives engineers information for maintaining devices. IoT sensors can record the temperature and other variables that would inhibit or show the decline of medical devices. For example, without remote monitoring, an anesthesia machine in an operating room could fail when a patient is under. The patient must be moved to another room and hooked up to another machine. The time under anesthesia is increased, which means there is more risk for the patient. IoT predictive maintenance is critical from a risk management perspective in healthcare, Sivakumar said. If technicians know a machine will fail well ahead of time, they can apply this change. Eliminating downtime means patients spend less time in the hospital, which decreases their chances of getting sick from something they didn’t come in with.

“You could talk to people about the issues they have [with your device]. There’s no aversion to doing that; Everyone thinks it’s a good idea,” O’Connor said. “But it’s being able to define a starting point. Start small with something that you can control and have access to.”

Go to Original Article
Author:

Recent ransomware attack cripples nursing homes, acute care facilities

A recent ransomware attack has affected roughly 110 nursing homes and acute care facilities in 45 states, cutting caretakers off from patient records.

Virtual Care Provider Inc. (VCPI), a Milwaukee-based IT consulting, security and management service company, first became aware of the attack Nov. 17. In a letter to clients, VCPI said the business was attacked with Ryuk encryption ransomware, which is used to target large software systems, and that it was spread by the TrickBot virus, a malicious program that targets Windows machines.

The company estimated 20% of its servers have been affected by the attack, and that roughly 100 physical servers will need to be rebuilt. VCPI said it is using a virus-specific software application to scan individual Microsoft Windows servers to verify they aren’t infected. If the server is infected, the business plans to restore it. The company maintains roughly 80,000 computers and servers for the affected facilities, according to KrebsOnSecurity, which broke the story.  

Attackers are demanding $14 million in Bitcoin as ransom for a digital key that VCPI could use to unlock access to its files, a price the company doesn’t want to pay, according to KrebsOnSecurity. VCPI CEO and owner Karen Christianson said in an interview with the security news site that the attack affected nearly all of its offerings, including email and internet service, client billing and phone systems, and access to patient records. She said the ongoing attack is keeping care facilities from accessing patient records.

Experts said the incident shows even the best organizations with the best procedures and controls can fall victim to attack, providing a stark warning to healthcare CIOs to educate employees on best cybersecurity practices.

Ransomware’s impact on healthcare

Larry Ponemon, founder of data protection research company Ponemon Institute in Traverse City, Mich., described the recent ransomware attack as especially devastating.

Larry PonemonLarry Ponemon

“It’s very serious because it’s not just about losing some data or preventing people from accessing their data,” he said. “It’s about the ability to provide services that can be life and death.”

If a ransom isn’t paid to retrieve a digital key to unlock the files, Ponemon said it can take months, or even years, for an affected healthcare organization or business to rebuild its systems after a ransomware attack.

In the letter sent by VCPI, the company said its plan is to rebuild servers and install them into newly created network segments. It is prioritizing servers that provide access to email and EHR applications. The company acknowledged it doesn’t know when clients will have access to VCPI systems again and noted that it intends to investigate if the recent ransomware attack has resulted in the acquisition of client data.

“We are working diligently, nonstop, without resource constraint, according to our documented plan, and with experienced expert leadership,” the letter stated. “We need to ensure the integrity of the new environment. We are prioritizing critical VCPI infrastructure, including Microsoft Exchange email system, and electronic health record software.”

David ChouDavid Chou

David Chou, vice president and principal analyst for Constellation Research in Cupertino, Calif., said he was struck not by the ransomware attack but by the fact that the victim is a technology company that provides technology services to healthcare organizations.

Chou said the incident highlights the importance of properly educating employees to be aware of the ways attackers will try to infiltrate an organization’s systems and to ask questions before opening external emails with potentially malicious attachments. “If you don’t, you’re going to pay the price,” he said.

Go to Original Article
Author:

Zerto plays big role in McKesson’s disaster recovery plan

For McKesson Corporation, downtime may literally be a matter of life or death.

Hospitals and other healthcare facilities can’t reasonably keep every type of drug in stock in their own dispensaries. McKesson distributes drugs and medical supplies to hospitals, both during routine resupplies and emergencies. A strong and properly tested disaster recovery plan ensures nothing stops those important deliveries.

“We’re delivering pharmaceuticals. If we can’t ship product, somebody could die,” said Jeffrey Frankel, senior disaster recovery engineer at McKesson Corporation.

McKesson Corporation is a Fortune 7 pharmaceutical giant with about 70,000 employees and business units spread across the world. From an IT perspective, each of those units run autonomously — there is no single IT infrastructure that connects all of them. Each location has its own IT staff without standardized technology stacks.

Still, all disaster recovery (DR) inside McKesson is handled by a central DR group, which Frankel is a part of. He said the biggest reason for this was to standardize DR practices across the business units and make it easier to establish and follow protocol.

“Individual units might be using VMware or Hyper-V or anything at all. But security standards and DR standards need to meet ours,” Frankel said.

A centralized DR group also made it easier to test and prove recoverability. Frankel said this was especially important for keeping insurance and auditors satisfied.

McKesson began using Zerto six years ago, and it was the first time the organization used a third-party vendor for DR. Frankel and his DR group were only responsible for the pharmaceutical side of the business at the time, and they were previously using VMware Site Recovery Manager (SRM). However, Frankel said Zerto proved to be so much more efficient than SRM that the DR group’s responsibility expanded to the entire organization.

Headshot of Jeffrey FrankelJeffrey Frankel

One key feature that led Frankel to a Zerto purchase was journaling that allows for point-in-time recovery. He said this is a key difference between high availability (HA) and DR that many in his organization didn’t initially understand. McKesson was already replicating to a second site, which solved the HA use case, but DR needs the additional functionality of restoring to an earlier version if files are corrupted or compromised.

Frankel evaluated Actifio, Veeam and SRM, and said Zerto had them beat on functionality, ease of use and flexibility. McKesson’s business units have a wide array of failover setups, including on premises to Microsoft Azure, on premises to another on-premises data center, Microsoft Hyper-V to Azure cloud, VMware to Azure and VMware to IBM data availability as a service. Zerto worked with all of these setups, in addition to lowering McKesson’s RTOs and RPOs.

“We have a wide variety of implementations, but none of our RPOs are ever above 15 minutes,” Frankel said.

DR isn’t just the technology behind it. McKesson’s group is broken down into three teams, each handling a different aspect of DR.

The first team handles business continuity from the facility standpoint. They focus on the portion of the disaster recovery plan that deals with what to do if the facility is compromised and where workers go in order to continue working.

A second team focuses on consulting and logistics. This team works with executives to outline the scope of what’s needed for DR, including what’s considered mission-critical and the order in which business applications need to be brought back. This team also schedules tests and handles logistics and coordination when disaster strikes.

Finally, the engineering team, which Frankel is a part of, is responsible for all the technical aspects of the disaster recovery plan. They piece together the IT tools that make the previous team’s plan work.

One new feature Zerto introduced that Frankel wants to expand is its analytics capabilities. Before this was implemented, he would have to give direct access to the Zerto console to consultants, auditors and other non-IT personnel in order to look at the data. This meant untrained staff could accidentally start a failover process. The analytics and reporting functions have removed that risk.

“We didn’t want to give nontechnical people admin rights. Now, they can’t break anything,” Frankel said.

Go to Original Article
Author: