Get notifications!

How Cybersecurity Factors into the Medical Device Procurement Process

In 2018, the global medical device and clinical asset market was worth approximately $8.98 billion. By 2025, it’s estimated that it will be worth $61.35 billion. Hospitals, on average, spend 11-13% of their annual budget on medical devices and clinical assets. In the UK, 47% of large healthcare organizations manage networks of over 5,000 connected devices. In the US, healthcare is even more connected, with a statistically average hospital maintaining a network of some 19,300 devices.

Medical devices and clinical assets include everything from syringe pumps to robotic operating equipment, from the software system/service used to keep track of ER admissions to the nurse call button used by patients, and even implanted devices like pacemakers. Medical devices and clinical assets don’t just pervade hospitals it would be impossible for a modern-day hospital to continue without them.

The Complexity of Medical Device Procurement

With medical technologies playing such a critical role in healthcare operations, device planning and procurement is a serious issue. It’s also a long and complex processes, driven by many competing concerns and stretching out across an average of 12 months.

healthcare-cio-factbook

Decision makers draw on many different sources of information to come to a purchase decision, including:

  • Peer referrals
  • Online education
  • Crowd-sourcing professional network groups
  • Direct communication with current and prospective vendors 1

When it comes to the considerations that drive medical device procurement, cybersecurity is rarely at the top of the list. The primary motivators are to improve patient care, increase patient throughput, and lower hospital costs. The majority of purchases 71% are considered in order to replace an old or outdated item. Only 42% of purchasing decisions are initiated by a request from someone within the medical system.

In most hospitals, there are multiple stakeholders in procurement decisions, few of whom are preoccupied by cybersecurity concerns. These can include:

  • Physicians and surgeons
  • Medical administrators
  • Group Purchasing Organizations (GPOs) who carry out medical device procurements on a large scale for multiple medical centers (in an attempt to increase purchasing power)
  • Executives, including the CMO, CCO, CFO, the head of Biomedical Engineering, and other C-Suite managers
  • A value analysis committee (VAC), made up of representatives from different departments, nurses, physicians, administrators, supply chain specialists, purchasing agents, and more
  • The board of directors

The medical supply chain lags well behind that of other industries. It is made up of many stakeholders, and serves an IT network that is large, disparate, and highly siloed, with poor visibility. It’s relatively easy for vendors and sales representatives to gain access to the supply chain at many points.

medical-device-supply-chain-complexity-2

Device manufacturers may even deliver devices “on consignment” without any document trail about their existence. This impacts recall management, asset monitoring, end of life device management, and, inevitably, device security.

The Challenges of Medical Device Procurement Planning

Visibility

Effective medical device procurement planning is hampered by a lack of endpoint visibility in the existing network. Decision makers frequently don’t know which devices and assets are in heavy use. They lack a robust end-of-life monitoring solution. They don’t have any centralized management console from which to track when software updates or security patches are issues or to see when manufacturers cease extending such support for each device in deployment.

The issue of vendor support creates an interesting predicament for decision makers when it comes to procurement planning. Once a device exceeds its manufacturer-dictated end of software support lifespan, what do administrators do with their devices that are otherwise in fine working order? How are the associated risks/expenses managed and mitigated? It’s not a theoretical question. It’s hugely consequential. 20% of healthcare IT professionals report that their networks still run devices on Windows XP. Microsoft stopped supporting Windows XP in 2014. A similar cybersecurity disaster is on the way for systems using Windows 7, which will stop delivering extended support in January 2020.

Post-market support

Many hospital administrators assume that outsourcing procurement includes to some degree outsourcing ongoing device management as well. They trust that GPOs, manufacturers, or some combination of second-parties are responsible for the entire device lifecycle. But this will only be the case if the terms are explicitly written into the SLA. When everyone assumes that someone else is dealing with things like cybersecurity, they often slip through the cracks.

is-cyber-support-falling-through-the-cracks

Pinpointing responsibilities

Healthcare technology is touched by and affected by a variety of different hands and actors. Each enters into the equation at a different point and each packs their own operational or historical baggage into it. Knowledge about infrastructure, cyber threats, and device architecture ends up siloed in different departments, undermining a sense of shared responsibility.

For example, IT professionals are experts on security, but not about medical devices. Clinical and biomedical engineers know about medical devices, but might not be on top of the latest cybersecurity recommendations and threat intelligence.

Medical devices and assets are often made up of different embedded components that span the range of software, firmware, and hardware. Each can be supplied by different vendors, creating a fragmented ecosystem at a time when intra-organizational collaboration and shared responsibility is vital.

As a result, it’s not always clear who should take responsibility for security best practices. Passwords provide good case in point. Who is responsible for ensuring that default passwords do not persist beyond set up? Who is responsible for establishing good password management architecture? It could be the IT team, the software and application provider, the hardware provider, the third-party security provider, or even the technician using the device/service. Ambiguities of this sort end up producing dangerous vulnerabilities further down the line.

New technologies

Bringing new technologies into an existing IT ecosystem is never simple, especially when buying from a new vendor. Often, new devices won’t connect smoothly with your existing technologies and design architecture leading to clumsy patchworks that are vulnerable to operational “hiccups” as well as cyber attacks.

The consequences of joining up new and legacy technologies are difficult to predict, laying the groundwork for operational and security issues that may only manifest several months later.

Bringing Cybersecurity into the Procurement Process

the-knock-on-effect-of-not-knowing-whos-responsible-for-whatThese challenges underscore the need for healthcare organizations to bake cybersecurity more prominently into the medical device procurement process. This includes both premarket cybersecurity preparation and ongoing post-market cybersecurity support.

It begins with awareness. Decision-makers need to keep security in mind when making purchasing decisions.

Alongside considerations of cost, ROI/ROA, and patient care, CISOs need to push the rest of the C-suite to think about:

  • How a new medical device affects security posture
  • The unique vulnerabilities it might bring with it
  • How it connects with your existing security architecture
  • What steps you can take to limit risks.

The Benefits of a Smart, Secure Procurement Process

There’s a potential here for a virtuous cycle. Not only is it important to inject cyber considerations into the medical device procurement process in order to protect your long-term return on asset, but consciously coupling the two purviews (security and procurement) opens up new frontiers for synergistic efficiencies. For example, drawing on cyber data points, you can achieve a superior level of operational visibility that can be leveraged to identify which devices are needed and quantify to exactly what extent; while at the same time asset utilization insights can tell you how to bear the greatest, most positive impact on your revenue streams.

What's more, cyber-enabled end of product life asset monitoring allows you to make proactive purchasing decisions that aren’t pressured by the need to urgently replace a worn-out device. With the increased foresight, you can plan your purchases across a more flexible time frame, taking advantage of seasonal discounts or market fluctuations, or you can bundle orders to negotiate better terms.

For example, you may need to immediately replace 20 infusion pumps. But thanks to your end-of-life monitoring, you know that you’ll also need to replace a further 300 devices within the next year. Consulting your asset utilization data, you also know that your overall operation would be best served if you not only maintained replacement rates for your syringe pumps but expanded your roster of devices by 100 more units. In such a scenario, you would be able to group all these purchases together and push for a volume-based discount.

medical-device-procurement-discount-bundling

An improved understanding of device interoperability requirements, implications, and strategies will also be needed with vendors being held to a higher standard in terms of thoughtfulness and communication. How a given device with be plugged into and affect your existing IT infrastructure and security needs to be clearly understood and planned for as a forethought rather than an afterthought. Alongside a desire to invest in the best and brightest of MedTech, it’s important to keep a careful eye on the risks that this may bring to your network.

At times, this might mean turning down a device that fits your patient care and financial needs, but doesn’t meet your cybersecurity requirements. At other times, it may mean pushing vendors for greater security support commitments or even somewhat augmented device designs.

Equally, there may be occasions when the benefits of a specific device or assets outweigh the difficulties of plugging it into your current system. In these circumstances, integrating cybersecurity into the start of your medical device procurement process means that your CISO and security team can dedicate more time to mitigating risks and correcting vulnerabilities that this choice could cause

Raising cybersecurity issues early in the procurement process is also a good way to gauge the vendor’s long-term commitment to support2, and nudges the medical device industry as a whole to integrate cybersecurity earlier into the product development process; something that would over time remove, a priori, many of the most common vulnerabilities.

A more security-minded procurement process also demands a detailed security SLA and may entail the provisioning of a cybersecurity preparedness user account so that your team can get service layer access during a cyber incident. Having more clearly defined roles, responsibilities, and expectations with regards to cybersecurity will also help to build a stronger HDO-vendor relationship. Creating a fully cyber-informed purchase process means using documents like a third-party Software Bill of Materials (SBoM). This lists device components so that cybersecurity professionals can identify and address vulnerable elements and prepare a thorough incident response plan.

hospital-cyber-incident-response-plan

In looking to build out your internal policies in this regard, you have plenty to go on. The FDA issued a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook that contains more guidance, and so did the Department for Homeland Security.

Conclusion

For most healthcare organizations, establishing a strong security posture will require bringing cyber into the conversation at an earlier stage. When it comes to medical devices and clinical assets, there’s no earlier point than procurement planning. CISOs and other stakeholders need to push cybersecurity up the list of concerns when making purchasing decisions.

It’s important to note that paying credence to cyber considerations and insights needn’t make the medical device procurement process longer or more complex. In fact, cybersecurity solutions that are based on enhanced device inventory and usage visibility can be leveraged to inform the whole procurement planning process.

Operational analytics and insights such as asset utilization rates, heat mapping, and time-based bottlenecks open up a greater understanding of which medical devices and clinical assets your staff really needs, and when they need them. This underpins smarter and more cost-effective procurement planning.

It’s vital that medical device vendors be held responsible for providing ongoing security updates and patches, and that these requirements are laid out clearly in SLAs, RFI, RFP, bids, and other documentation. By pressing for greater security support, procurement teams can instigate a culture change that increases the overall security of medical devices.

In the long term, integrating cybersecurity into the procurement process can save both time and money. The cybersecurity stakeholder, together with the device or asset stakeholder, should speak up to influence the medical device procurement process and enforce improved long-term security resilience and reliability across the organization and the product lifecycle.

_____________

  1. This includes receiving vendor announcements on new product lines and promotions, liaising with vendor reps, and issuing RFIs and RFPs to vendors as new needs arise.
  2. In terms of things like longevity of support, time-to-release for security patches, incident response, etc.

hospital-data-facts

 

Comments