[ISN] How are hospitals handling medical device security?

http://healthitsecurity.com/2014/09/30/how-are-hospitals-handling-medical-device-security/ By Patrick Ouellette Health IT Security September 30, 2014 Dale Nordenberg, moderator of the medical device security panel discussion at this year’s HIMSS Privacy and Security Forum, made an interesting point in saying that medical devices fit somewhere between BioMed, IT and security. Given the likelihood that they fall through the cracks, what are are the best ways for healthcare organizations to monitor the risks associated with these devices? Nordenberg, a medical device expert, discussed security experiences and safeguard tactics with panelists Kristopher Kusche, VP of Information Services, Technology Services at Albany Medical Center, and Darren Lacey, Chief Information Security Officer (CISO) of Johns Hopkins University and Johns Hopkins Medicine. The first major topic of conversation was the manner in which Kusche approaches risk assessments for medical devices. Kusche said he had 20,000 medical devices across two hospitals, which outnumbers the 18,000 managed IT products, such as computers, the organization has on the network. As a Joint Commission accredited hospital, he said that Albany Medical Center has been assessing every device for risk for a long time because it was a Joint Commission requirement. The only major difference now is the addition of cybersecurity to that risk assessment. “When the FDA released its cybersecurity recommendations in June 2013, we took them to heart,” he said. “After having done full cybersecurity assessments for our IT components and systems for HIPAA, the next logical step was to perform assessments on medical devices.” […]