HTM and Cybersecurity: Who Owns What?

Mar 26, 2024


Fri, Mar 15, 2024 10:16AM • 36:18


biomed, device, cybersecurity, htm, medical devices, patient, male counterparts, patch, hospital, learn, put, nurse, manufacturer, system, people, systems, field, clinical, cmms, technicians


JC Newell, Chyrill Sandrini, Almetha Ford

Chyrill Sandrini  00:12

Welcome back to HTM Insider. Every episode I’m so excited to bring on new guests and new topics and today is like no other. We haven’t met before. My name is Chyrill I’m with MultiMedical Systems, MMS, and today we’ll be talking about the HTM industry as a whole and how you htm are the key to defense for patient safety. So I’ve got some amazing guests on today who really don’t need any introductions because they are you know, rock stars out there. First I want to introduce my friend JC Newell. We’ve been friends for quite a while now. And I just love her spunk and her tenacity and we’re gonna talk about not only htm but how can you affect change and where the where the industry is going. So JC once you introduce yourself,

JC Newell  01:02

Hi all, I am JC Newell, I am currently working as a Senior Cybersecurity project manager with Kaiser Permanente but I’m also the owner of Newell Recruiting and Consulting, LLC. And I am a one of the founders of I-HTM, Integrated Healthcare Technology Management. And our goal is to bring all of HTM together in the same box. Let’s collaborate, talk network, get it in. Thank you for letting me be here. I love it.

Chyrill Sandrini  01:39

And Almetha, let’s hear about you.

Almetha Ford  01:42

Hi, I’m Almetha Ford. I’ve been in biomed since Oh, geez. Started in 1996. Went from Biomed Tech Director all the way up. Getting degrees, got some degrees behind me in cybersecurity and stuff. And I’ve been working in that field for almost 10 years. I am also a member, Co-member and founder of I-HTM. And my focus has been in very focused, very directed on medical device cybersecurity, and integration. And right now I’m working as a consultant with Tata Consultancy, and I work with manufacturers on helping them develop their programs and stuff because now with FDA regulations, they must do additional things on top of what they already do, and focus on cybersecurity, which they didn’t have to focus on before now. So there’s a lot of things and changes coming down the pike that we all need to be aware of.

Chyrill Sandrini  02:44

Oh, I agree. And I love that word integration. It means so many things, right in so many different applications. So let’s talk about that word. And you guys can kind of go back and forth. But integration. So biomed used to have a wrench, some screwdrivers, you’d go fix the machine. But gosh, now we’re seeing integration is bringing a lot of other I mean nuances and regulations, and how do we keep up with all this? So let’s talk about what is a biomed? And where is the biomed? Going? So let’s, ladies, which ones wants to take them

JC Newell  03:22

All right. So in in my world, we have Biomedical Equipment technicians, you have Biomedical Engineers, you have Clinical Engineers, and a lot of people just roll them all up into one. These are the people that take care of medical devices, but that’s not necessarily so. Biomedical Equipment technicians are out there. And they’re created just to focus on medical devices in the repair and maintenance, calibration and support, whereas a clip a biomedical engineer, they know how to build a medical device. They know how to structure a medical device, they are into the compliance and regulatory side of that device. And a clinical engineer is all about that clinical applications of that device, as well as how to build and maintain the device. Would you agree, Almetha?

Almetha Ford  04:20

they also deal with management skills, policies, procedures, standards, stuff like that. More focused on compliances and other other areas in the hospital where the environment of environment of care is affected in where they have their questions where maybe the biomed tech does not really go to so. The clinical engineer helps more in the managerial and engineering functionality of what encompasses the whole of what we do that whole area that people don’t even really know exists.

JC Newell  04:58

Yeah, and the funny thing about all of this Is that for years, you had departments. Clinical Engineering, the Biomedical Engineering department, the Biomedical Equipment Technology Department, the BMET department. And it was wonderful that Amy years ago said, Okay, let’s just come up with one name for it. And we all agreed on healthcare technology management. So then the HTM technician was born, all encompassing, and it gives us one name, that we can stand behind and say, This is who we are.

Chyrill Sandrini  05:35

And I want to applaud both of you. Because as we know, this is an excellent career field for women. And hopefully, today, you might inspire some young people, especially young women, to get into the industry. I think women excel in this industry, not to say that males don’t, but you are not what you see, when you walk in a shop normally. You need to be seen, you need to be heard. And I’m so honored to have both of you on today. Thank you. So that with that said, I want to know because JC you’ve been doing this a long time to when you started in the military? No. So let’s just let’s just narrow it down a little bit to the last 10 years, because I’ve been in the field about 12 years, 12 years now. And I’ve seen the jump. I mean, not even our own company, we were on triplicate forms. And now we’re automated, completely, we had a CMMS program. But some of the stuff we did over here, not everything is encompassed and tracked through our ISO certification and our CMMS program, right? Yeah, definitely. Wow, think about 10 years, 10 years ago, what have you guys seen as the biggest change in technology and integration?

JC Newell  06:47

For me, the biggest change to me is the amount of women coming into the field, it has been explosive. We kind of turned to this STEM technology thing and put it out there. I love the fact that women are seeing this as Challenge accepted. And they’re jumping in with their male counterparts. And they’re eager and hungry to learn. They are finding some difficulties, however, in their male counterparts, taking them under their wings to teach. But they need to understand that they’re coming with a new perspective. They want to be additive, they want to be that additional strength for the department. So this comes as something that a lot of departments and a lot of their male counterparts see them as well. What can they do? You will be surprised, they’re going to surprise you. They will eat up everything that you’re doing and show you better ways of doing it. I think a woman is the ultimate multitasker. And people say oh,”There’s no such thing as multitasking.” Well, let me tell you, if she can get up in the morning, take care of the kids feed the Hubby, make sure everybody’s off to school, and then get her work done at work sees all over it.

Chyrill Sandrini  08:04

Yep. I think women in general are problem solvers.

JC Newell  08:07

Yes, definitely every day, every day.

Chyrill Sandrini  08:12

So what about you Almetha, let’s talk about what you’ve seen in the last few years.

Almetha Ford  08:14

Oh, boy. So it’s been a little bit then let me go and say I agree with the perspective with women. I also think that helps with being a female in the biomed arena is we deal with nurses. The communication between a female technician and nurse is like almost like the communication between you know, it’s female-to-female, not female-to-male. So what a nurse says, we hear differently than sometimes our male counterpart Eric can gain insight from or is or they’re more comfortable sometimes. So just like where man would talk to another man. So I’m just gonna say it for that piece. The gender differences, but the things that I that has really changed healthcare forced healthcare to change was when I don’t know if you guys remember when Meaningful Use was being forced into the half healthcare. We’re seeing forcing, kind of pushing, because before, when EMRs were presented, I had nurses and managers saying we’ll never get EMRs because they’re too expensive. But when the federal government said we’re going to kind of push you to do that, because we’re gonna give me a sentence, using meanful use to inspire and encourage and kind of get you to do those electronic medical records. Once those guys place now everything is becoming more integrated. Everything is now being put in those medical records, which there’s a whole nother into what that’s trying to do with the CDC and everything else. If you really look at what’s going on and what needs to happen for diseases and tracking and then doing their statistics and stuff like that. It’s going to become more automated. And the way to do that is going the way that we’re going. So this is my stuff that’s been in motion for 15, well, more than 15 years, but we’ve been seeing it within the past 1015 1610 years. So now we have all these medical devices, thermometers, glucometers, and pumps and stuff that were never integrated before that were patient monitors were on insulin, isolated networks. And now they’re all going into, you know, going those servers and stuff are now being integrated into the EMR. The PACs images where people used to have to carry their images, memories fly, yes. Now you can just call and say, Hey, can you send my CT to Doctor A, B, and C. So now with all this, all this integration is coming in the past 10, 15 years, that’s changed how we have to look at medical devices. If you look at stuff, medical devices used to have a history of 20 years 18 years old, your CT would be 20 years old and stuff. So people would have all this stuff. Now with the turnover of software lifespans lifecycle, you can’t do that. You can’t, it’ll show up with a scan of we’ve had I’ve had where a scan some years ago had NT and to change that, that seats, that IR room CT room, we had, you would have to replace it, which means 30 day down 30 days that the whole system would be offline. Well, if that’s your only system, how does that go offline? You can’t. So how do you make those adjustments satisfy the mitigating point, so you stay safe, even though there’s an exterior edge perimeter that it is putting for firewall protection, Edge firewall protection, as you can see, through all the breaks, all the breaches that may have, and many that have not been reported until they were forced to be, reported. You’re getting through those those edge. So the only thing that we can do is now we need to think about defense in layers, putting defenses up. And so those are things that we never really focused on his biomed we focused on safety would say for safety, you know, how’s it working as a nurse No, no and train because we work closely with our nursing staff. Now we need to say okay, cybersecurity, does our database even except those that those data points that we need to search and have, you know what I mean? What does it mean, as a Biomed Tech back in the day it was from, I got my machine into the wall is us anything past the wall is you. But just like your body has an arm, you need to look at the whole system, you can’t just look at the arm and treat just the arm, you have to treat the whole system. So you need to understand that whole system. So you need to know that there’s blood going through your veins to your heart and your lungs oxygenating, well, you need to do that for medical devices. Because when there’s a problem when something goes down, it’s just not one part of it. It’s not just affecting one part of it, it’s affecting the system. And we’ll get in and out and access that system. So I’ll just stop right there.

Chyrill Sandrini  13:17

Yeah, that’s what I think is very important and, and to the public, the public doesn’t really understand this, they expect the machines to work. And really, they go into the hospital, they thank the nurses and they take care of them. Nobody has any idea. All these layers of safety that you’re discussing, I’ll share a story with you is that my husband went in for surgery. And the first time it didn’t happen for various reasons. We go in there the next time. And the surgeon says, Well, we’re gonna have to wait. They’re trying to get this device that I need to use for the surgery. And there’s an issue with it, and they’re trying to take care of it. And I’m like, what kind of issue he’s like, why don’t know, but they’re just trying to check it in and they’re not getting it checked in. I said what OR room are we in? I’m sitting there with my husband. He says five. I doubt my friends down clinical engineering that I know. Steve, I text them. Hi guys. My husband’s going in for surgery in OR 5 what’s the problem? It was advice brought in by a vendor, so layer of safety right brought in by a vendor that does a cold the Blasian right in his back and had not been pm for over a year. Oh wow. And so the great, great and powerful safety people that htm is they said you can’t bring that in. Right and then they told me that that surgeon comes back and I said no. We can’t do the surgery. They go well they’re trying to call Florida because they said it was PM’d I said sir is not PM’d, and I said, “If it was PM’d did have a proper sticker on it.” And this man turns to me and looks at my husband he goes “It’s what she does” so I go, “We’re not doing surgery today. When the machine has been pm done, it’s properly brought back by the vendor and checked in successfully by a biomed, then we can get the surgery.” I wouldn’t have known that. I wouldn’t have known that… The average person going in or to get surgery or in a hospital room doesn’t understand these layers of safety. And how defensive, y’all are about patient safety? Yes,

JC Newell  15:30

you know it. What I love about our field is that all of the well, I, I can’t speak for every biomed tech out there. But the majority of us when we go into a hospital, and we’re working on equipment, we treat it as if our loved one is going to be on it. And for us, it is so crucial that we have a mentality of is “Not on my watch, this device will not go down on my watch, what can I do to make sure that this device is safe for this patient? On my watch.” And in saying that it goes kind of correlates to what Almita was saying, the whole system, you know, because even though we’re there at the patient level, looking at the device and saying, Hey, is there a PM sticker on it? We also have to look at, hey, is this thing safe from a cybersecurity perspective? Can this device be hacked? Are we putting this patient in more danger when they get put on an infusion pump if somebody can get in it and change the dosage. So for us, when we look at it as a “Not on my watch” thing, we have to look at those things that we can physically do something about. And those things that we there is a presumption of, you know, we have to put up those like Almetha said, those layers of defense, so that we can protect the entire system, not just the machine just at the patient, because it’s way more than

Chyrill Sandrini  17:00

that, way more than that. And we’ve seen some much recently, right with some cybersecurity attacks at big health systems. Yes. For information out there to who knows who and where? And because there’s a lot of information in those records.

JC Newell  17:16

Oh, definitely, definitely, you know, when you’re when you’re sitting there looking at the fact that if someone got into a patient record, and no one their security, social security number in their addresses and things, it turns into a very large liability for any health systems, and you know,

Almetha Ford  17:33

I would say patient records is one thing. But when there’s a patient, potential patients fatality associated, associated, so there’s a case and I haven’t seen where it’s closed. So I’m waiting to see what their conclusion is, where there was a cyber hack, they got into the hospital, the systems were not as layered as maybe they could have been. They were able to get to the nurse to call and the nurse call. They were able to get into the networking for the patient. I believe that fetal monitoring, so they had the bedside, but they didn’t have the central so the lot of that infrastructure Integrated Infrastructure may have been affected. Because you know, all that information is not going to be given but from what was written. That’s what it seems like. So now you got, that affects staffing, because now you got to have staff watching each one of those patients in bed where before you had what the nurse to patient ratio, maybe be two to two to one to three patients to one where now you got mamas having babies, and what does that need to look like a one on one, it’s something? Can you call the doctor? Are you able to print out the strips or get the strips that are going to send you alerts and alarms to notify you. So that’s why we need to be cognizant of what the effect is on how we have our devices on the network. Because one of the differences here’s the difference. IT knows networking, they know computers and everything else. But they many of them struggle with how come we can’t patch now? They don’t understand what the difference is between a medical device and a business device where 510 K requirements are wet. FDA regulations and restrictions are for dealing with medical devices, or you can’t patch unless it’s validated, or even put anything on the system as for cybersecurity, because now you’re violating that system and if something goes wrong with that device, it’s not on the manufacturer because you just altered it. It’s on the hospital. It’s on you because that’s not what you supposed to do.

Chyrill Sandrini  19:44

Yeah, so let me ask you ladies. So I’ve been hearing the patches need to be completed, but yet the cost to make that happen, or the staff to make that happen and just aren’t available. And they’re trying to find ways around to get these patches down and create this budget that wasn’t in the budget before find this money. Do you find that that’s what’s going on out there, and why many people are delaying patches and upgrades?

JC Newell  20:18

I will say one of the biggest problems we have is the IT to Biomed collaboration. Because many patches can be given to the facility from the vendor. And if it’s a tested and try patch. IT gets involved. And if they get involved in they agree to work with the Biomed team to test that patch on a device to see if the device can take it, then it’s definitely one where the collaboration between IT and biomed, and they get together, and they determined, Hey, these are devices that need the patch, technicians have to do PMs anyway, they have to do repairs anyway. So why not just integrate that patch as part of your PM or that update? Not only are you saving the hospital money from having to call a vendor out to patch all your devices, but you’ve breathed in a stronger collaboration and relationship between your IT and Biomed teams.

Chyrill Sandrini  21:23

So one of your biomed manager fills the other way back that they don’t want to work with it. And they that’s it path patching is their job, not mine?

JC Newell  21:31

Right. And you know, that has been a systematic problem with our field for years, this comes into well, that’s not my job. That’s their job. But like I was saying to the wall is and in until the device towards the device is Biomed behind the wall. That’s someone else, whether it be facilities or IT. And we have to move past that, to see if we can do more because now the dangers and securing of a medical device is different. It’s not just if the device fails on a patient, it’s not just if they have the wrong syringe in the to the PCA pump or something like that. Now is bigger, was the device hacked? How can I biomed tell if it was hacked? If there’s a hacking going on right now, if the device has been infiltrated? How can we tell. And that comes with more education, more knowledge and more collaboration. And this brings me back, Chyrill, to why I-HTM exists. We created this site to bring us all together so that we can collaborate more learn from each other for because for a lot, IT feels as if biomed is only break-fix. And we’re way more than break-fix. Biomed feels as if IT can’t do any more than sitting behind a desk and being desktop support. And they do way more than that. But together, they’re invincible. Together, they strongly take care of patients, if they come to a place where they understand where each other are. Let’s get together Let’s learn. Let’s learn what each other does. Let’s put that together and protect our patients. Protect our hospitals, if that makes sense.  Yeah, that makes a lot of sense.

Almetha Ford  23:35

Well, I come also from another aspect. And that’s what makes I-HTM so great. Because each of us come with our own aspects of the same struggles and how we look at it. So there is a biomed and IT collaboration that really needs to happen. Health care, what really affects that is health care organizations and manufacturers. So last year, December 29. The federal government has this OMNIBUS bill that they pass, things that they added in there, which finally gave some teeth and made some partnership requirements was the medical device portion of it where now they have to have a scheduled patch and release where before they either did it or they didn’t and it was always hanging in the road. They have to have a timeline for all of your new products. As of October, they have to have vulnerability management program in place, a patching process and timeline in place. They also have to have incident response. How many times have you sent out and asked about when there was an incident or something like that the manufacturing could be cybersecurity and you’re waiting and you’re waiting and you’re waiting? I’ve waited six months for a response and stuff. The other thing that I find that is extremely interesting. Now you don’t just have accessories Did you know that when you have your medical devices and stuff your systems integrated and in put in your IDI, your CT, radiology devices and stuff, they give you a firewall, but your firewall is an accessory? Well, what are assessories? They don’t even worry about those. So now, anything sent for cybersecurity components for your medical devices can park considered part of that system? So what happens when you have obsolete firewalls on your systems? Because your systems are 15, 20 years old? Who’s handling that? The other part of that is how many people how many healthcare systems now incorporate up to date cybersecurity requirements components in their contracts and their service agreements? Most of them don’t.

Chyrill Sandrini  25:49

And how many actually know and understand it, especially rural health, right? Critical Access. So we’re providing vital vital care to people there are not in the big cities, they don’t, how are they?

Almetha Ford  26:01

Many of them don’t say in our service agreement, patches are provided in our service agreement, you have show me the process for your incident response for when we have an incident, so we’re not chasing the field engineer. And so if we have a straight response, because of the timeline, we have to go through to do that, who is the person that we need to say, hey, we’re getting these vulnerabilities on our systems and stuff. I can’t just send you an email for all the stuff and over and over and over again, what is the accountability of that? Are you putting those things in your contracts, and in many cases, they’re non-existent. And a lot of if you go and look at your, your contracts and your purchases, so I would, that is something that needs to be the marriage between manufacturer and healthcare organizations. I think if more of them start adding that and demanding that it will help be the voice of the customer, to the manufacturer, and kind of dictate itself to where that where the where the demand, they will do it.

Chyrill Sandrini  27:07

Yeah, and that’s why I think Biomed should be more involved in Purchase Services as well.

JC Newell  27:11

Yes, absolutely. And you know, what I, for the life of me, I kind of see it as more often than not, you have a Biomed tech or Biomed team, just as you know, they’re just waiting for them to tell them if something is on the doc, or they don’t have a relationship with supply chain, where they’re saying, hey, we need to get more involved on what can be purchased and what cannot. But this is interesting, too, there are a lot of facilities and departments that don’t have a seat at the table for their Biomed tech. Your Biomed tech is integral to your capital equipment planning, what you’re getting ready to buy, they have a bigger job than just if it’s you bring it in, we onboard it, we put it in the CMMS. And then we do a patch on it. Now, we can help you determine whether or not that device is safe enough to be in your hospital before you purchase it. We can check FDA adverse events to find out how many patients were hurt or killed for that device before you buy it. We can also check other facilities to see how much it costs them to repair that device over and over again. So to see Is it is it more expensive to repair it than it is to buy it? You know, but we can also give alternatives for devices. So you have more than one to choose. You have vendors going into hospitals, they tell the doctors and the nurses about these devices. And they’re like, Well, I want one I want one. But let Biomed be your arm, let HTM be your arm, let us look into that advice you want to buy, let us tell you whether or not is worth buying. We have that skill set. And that’s what we also bring to the table to help support facility. But a lot of hospitals don’t use us that way.

Almetha Ford  29:05

So I think part of that is too because people don’t really understand. I don’t think that they understand what it takes for people to become Biomeds. They’re either military trained, which means yours. They are Associate’s Degree trained, which is yours, or they are Bachelor’s Degree or Master’s Degree trained. Very, very, extremely few presenters just come off the street saying hey, I can touch a medical device. There are years of training and then years of experience that goes into you becoming an Biomed Tech. You can’t just take a six month training class and just say you’re a Biomed it takes time you can be an apprentice whenever else to start moving up to do markets are not going to give you higher end stuff until they tested your competency and make sure that you know it as opposed to a person. It’s easier for me to train a person in biomed in six months to understand and work with IT devices than it is for me to get an IT person to learn biomed to be a decent Biomed with some general overall experience is meant to me a minimum of 5 years, then only education, you got to come in to the hospital, you got to go from thermometers to pumps and infusion pumps, bedside monitors, telemetry monitors every single repair, we have to see we have to know general functionality, we have to work with the field engineers, we have in the manufacturers, we have to read the manuals, service and user because we’re also training the staff. So it’s easier and more beneficial if I get a Biomed person and teach them IT. Because then they’re learning networking. They’re they’re networking, servers, computers, and most of them already know computers, because they’re dealing with patient monitoring and stuff and other stuff that’s connected. So I think there’s a confusion on the knowledge skill set of what HTM, Biomed, Clinical Engineers bring to the table. I think of maybe some people had a day in the life, they would be surprised.

Chyrill Sandrini  31:21

Yep, I agree. And you know, it’s really a professional career space. Yes, it’s not a technical school. Right? Why is it has a lot of technical components to it. But this is a professional career space, and there’s a lot of opportunities to grow, and to increase your education on your own. So if you’re talking to a young Biomed, today, a five year Biomed what are some of like words of wisdom that you can like throw out there and say, Why? Why did you stay in here, when you can go here, when you see it in somebody, what skill sets they can start looking for?

JC Newell  32:00

Oh, I always Okay, so when it comes down to Biomeds that have been in for five years, it’s about the grind, be hungry, go out and shadow everybody eat it up, go and learn as much as you can learn. But after that, take yourself to the next level, go and get your IT certifications. CompTIA+ a Security+ anything that they can get there. There are a lot of programs that offer free training, free certifications, get it add to your skill set, when it comes down to the education and associate’s degree is really all you need in our field. If you want to go for more education than that, go and get a business degree so you can learn management. Because that’s your next step. You need to be focused on, once you hit five years, you’re ready to step into the zone to where you’re ready for more responsibility. Ready to do more, you’re ready to go and pick up modality. At year 4, you should be choosing your modality. Do I want to be an imaging specialist? Do I want to be ultrasound do I want to be anesthesia? Do I just want to be a general biomed and we’re going to everything. So but in all of that my favorite words of wisdom are sometimes you have to take a step back to move forward. Sometimes you have to take a job that pays you less and gives you more capability. If you are going to another position and they want to pay you less, but they’re going to teach you imaging for free. Take it

Almetha Ford  33:35

I have 2. So one of them is don’t be afraid to travel. Opportunities are not always next door. And it benefits you to explore. I’ve been to Alaska, I’ve been in South Carolina, I’ve been to different places yes I’ve been. I’ve been all over New Jersey, Philly. It’s been given me such a broad experience with different companies to learn skill sets, different locations in hospitals and stuff like that to see what’s common and what’s different amongst them. So don’t be afraid to make those moves all for you. And those are your learning lessons and learning opportunities to help you move up. The other thing I would say is what one of the points that Jules stated is, be hungry. Stay if you got field engineers out there, don’t just let them come in and do the repairs and do stuff with the system. I’d be right with them. I’d be seeing what they’re doing and learning with them. They’re doing it there’s a network I learned that network. What APs are connected, I’d be drawing network diagrams I’d be ahead of the game with all that, knowing that because now when people have questions, who are they going to come to? You can come to me, because I have it, and they know I can do that and do the skill set, and then they’ll be more reliant on me, which helped me move up. The other thing I would say is don’t be afraid of those opportunities. So with biomed, you’re doing installs, you can help with project management piece of it, work with that project manager, learn project management, so you can then be part of those installs, manage those installs, have more control and influence over those installs. So and get your project management certification…

Chyrill Sandrini  35:34

Okay, so this is a first for HTM Insider this conversation so much friend, I know it’s kind of ending kind of different than usual, but this is gonna be part one of two parts of the conversation with JC and Almetha. So stay tuned. Again, you still get a CPE credit if you’ve listened through tech nation as this episode as well as the next episode. Check us out, follow us connect with us on LinkedIn, Facebook, Instagram, all those things, and we look forward to seeing you next time on HTM Insider.

Transcribed by