OR Manager November/December 2021 - 27

Technology
issue). Deloitte predicts that the connected
medical device market will grow
from $14.9 billion in 2017 to $52.2 billion
in 2022-a 350% increase.
Problem-solving in the OR
The OR is home to a substantial proportion
of a hospital's connected systems
and devices. It is up to OR leaders,
the C-suite, the IT team, and important
vendors to manage the risk in a collaborative
manner. Leaders and clinicians
who have direct impact on the type and
number of devices and attached workflows
need to be involved. Consider the
following statistics:
* The average hospital room contains
around 15-20 connected medical
devices.
* The number of IoMT devices in a
hospital can be double the number
of laptops and smartphones.
* Medical devices have an average of
6.2 vulnerabilities-each.
* Sixty percent of medical devices
are at end-of-life. This means no
patches or upgrades are available.
* Some medical devices in use by
hospitals have a lifespan of 20
years or more. This makes them
prime hacker targets because of
older technology.
* As of 2020, more than 25% of cyberattacks
in healthcare delivery organizations
involve IoMT.
The best cybersecurity measures are
proactive ones. At the 2021 OR Business
Management Conference, Debra
Bruemmer, BS, MBA, CISSP, Senior
Manager, office of information security
at Mayo Clinic, gave an insightful presentation
on cybersecurity resilience.
Bruemmer explained the importance
of establishing a set of minimum acceptable
security requirements for medical
devices, and then measuring each
device against that bar. OR managers
routinely have an active role in equipment
procurement for their departments
by making recommendations and advocating
for capital purchases.
www.ormanager.com
It is important that perioperative
leaders learn to assess medical equipment
against cybersecurity expectations
set by the organization, and to ask the
right questions when evaluating new
equipment purchases. Cybersecurity
evaluation should be embedded within
the purchasing processes for the organization.
Some of those questions
should be:
* What is the expected lifespan of the
device, and can it be secured over
that entire lifespan? (For example,
the Windows 10 end-of-life, meaning
when support for the operating
system is slated to end, is in 2025.)
* Does the device allow remote connectivity?
(Devices like pacemakers
that allow manufacturers to download
information and change settings
can be more vulnerable to
hackers.)
* Does the manufacturer readily share
cybersecurity data and testing?
* Does the device receive routine
patches (updates)?
* Does it have hardcoded passwords
that can be exploited?
Other questions should be guided
by your individual organization's expectations.
Who
is most at risk?
It might seem like cybercriminals would
seek to strike big targets such as large
healthcare organizations or multispecialty
health systems. Reports, however,
show different trends.
According to the largest study so far
of hospital data breaches, published
in AJMC (table, " Indices of US hospitals
with data breaches " ), small and
medium-sized hospitals, which typically
have a smaller cybersecurity budget and
fewer safeguards, see more attacks.
Hackers know this, which puts community
hospitals and smaller organizations
at higher risk. Targets also seem to
be more concentrated in the Midwest
and South regions of the country, rather
than the more populated coastal areas.
One such small hospital in the Midwest
is Citizens Memorial Hospital
(CMH), Bolivar, Missouri. Although the
hospital size is small, the CMH system
covers several counties and a full range
of outpatient and long-term care services.
CMH is known for being an early
adopter of electronic health records and
has attained the prestigious Healthcare
Information and Management Systems
Society Stage 7 for systems maturity.
Sarah Hanak, MSN,
RN, SCRN, chief nursing
officer of CMH, is a proponent
of nurse leader
education and empowerment,
supervising
successful leaders of
nursing services in the
OR, ICU, ED, and ASC,
among others. In a disSarah
Hanak,
MSN, RN,
SCRN
cussion about cybersecurity, she was
surprised to learn of the accelerated
risk for small hospitals like CMH, specifically
through IoMT devices. Hanak's
thoughts immediately went to the role
that nurse leaders could play in this
dilemma.
" When nurse managers look at new
equipment, their primary concern is how
to use it, how to train people, and how
to write the policy. We tend to leave
the IT stuff to others, " she says. " As
the potential for patient harm grows,
nurse leaders definitely need to have
the competency to sit at the table on
these issues and be part of a collaborative
effort. "
Regulatory Oversight
While the Food and Drug Administration
(FDA) is tasked with patient safety,
including cybersecurity vulnerabilities
from medical devices, the truth is the
FDA does not test all medical devices
for vulnerabilities. It is the manufacturer's
responsibility to do so.
Much work has been done to
develop consistent standards for
device manufacturers, and in 2020, the
Continued on page 28
OR Manager | Nov/Dec 2021
27
http://www.ormanager.com
OR Manager November/December 2021

Table of Contents for the Digital Edition of OR Manager November/December 2021
