Recently Nebraska Methodist Health System moved the Biomedical Department from the Facilities department to IT Security. More and more healthcare organizations like Methodist are recognizing how the biomedical device department is better supported and synergies aligned this way.
Biomedical devices are most commonly referred to as Biomed and is comprised of all sorts of medical devices. Nurse call, IV pumps, MRI’s, PET and CT scanners. Actually the list of biomed devices is endless and growing exponentially. Historically most biomed departments that support these devices have fallen under the facilities department which is being reevaluated currently in many healthcare organizations and for good reason.
With the ever increasing number of biomed devices that are network capable and the need to secure these devices the placement of biomed under IT and more specifically under IT Security is being looked at more and more. Biomed devices are really IT devices that provide life safety support, which department in a healthcare organization than IT Security is more adept in supporting these devices, providing accurate risk assessments and mitigating those risks?
Over the course of many decades medical devices have become much more complicated, technology centered and most recently network capable. Take for example the patient bed, a look at the modern day patient bed has many circuit boards. They monitor if the rails on the bed are up or down. They monitor if the patient is in the bed or fallen out, they monitor where the bed is located and has it been moved from the patient’s room. All of this information is sent back to a central monitoring application in the hospital via the network.
Aside from the reality that biomedical devices are becoming more and more complicated with electronics they are also storing PHI information and require tight security controls to minimize risk. The secure storage of this PHI on these devices and the transmission of that information securely over the network is not to be taken lightly. Which department in a healthcare organization has the most experience, familiarity with HIPAA regulations and assessing risk than the IT Security department!
Most if not all IT security departments in a healthcare organization routinely assess risk for IT devices, manage these devices in some way and most importantly really understand how to secure them to protect the organization. With all the technology and risks associated with these devices it makes more sense for biomed to be under IT Security than any other department.
Years ago it was common for biomedical repair technicians to graduate from a formal degree program like an electronics degree and often specifically in biomedical electronics. More and more schools are doing away with this degree program. Whether it be from a lack of demand, lack of interest from young students this type of education is ceasing to exist. Further in years past it was common for these technicians to solder boards and do circuit repairs. Those days are gone now, technicians are replacing entire boards. Biomed technicians are becoming more and more like desktop support, replacing components and boards.
From a technology perspective biomedical devices are becoming more and more similar to computers and other normally supported IT devices. Not to minimize the unique nature of biomed devices and the need to send the technicians to vendor training on those devices. Biomedical devices have unique characteristics related to their design, purpose and architecture. And they also share common traits with any other IT device, is information encrypted, does it communicate over the network and are there safeguards protecting the devices from being hacked.
The most important and compelling reason to put the department of biomed under IT Security is to minimize risk. As stated earlier more and more of these devices contain PHI and transmit that data via the network and or wirelessly. Securing these devices is almost always an afterthought from the manufacturer! It has only recently been a market demand that manufacturers start thinking and designing security into their devices. When purchasing a new biomed device we should be asking the manufacturer how long will they be supporting firmware and software security patches after they stop manufacturing the device.
IT Security is really in the best position to secure these devices from hacking, monitor them from the network and provide the technical support needed. Biomedical devices have been in the news recently because of security flaws with their firmware and software. The importance of life safety for these devices cannot be understated. The need to update firmware and software to secure them is core to IT Security responsibilities and to maintain the integrity of these devices for life safety.
IT Security places great emphasis on certifications and usually requires its staff to be certified in some security cert. That recognition for certifications is also important in Biomed and aligns well with both departments. Formal education and certification in both fields is essential to the success and performance of each.
Biomedical devices are critical to the operation of any healthcare organization. They are also critical to the care, treatment and safety of our patients. Aligning biomed with IT security will only help and will also protect both patient and healthcare organization from harm. As these devices become more and more complicated this alignment is ever more important in our ever changing healthcare field.