Often people ask me how Kathy and I are able to care for 126 animals, grow half our food, and continuously develop 15 acres of wilderness into a farm. My wife took this photo after my recent orchard work which seems to indicate we have supernatural help!
Last year we started the summer with 20 guinea fowl and ended the summer with 70 guinea fowl. At this point we still have 60 and every day we listen for the distinct call of a guinea sitting on a nest (it sounds like a seagull). We empty the eggs and offer them to friends. The ones we do not find in the deeper forest, the raccoons tend to eat. Thus far, we’ve had a successful guinea contraceptive program in 2015. We do have a friend in Connecticut who wants guinea fowl, so if we miss one nest, we'll have a friendly home for the chicks.
I’ve put the last coat of water seal on the hoop house back wall, so now our 24x17 foot equipment space is fully ready for winter.
Speaking of winter, this week we received 2 tons of Chaff Hay - a prepackaged blend of alfalfa and molasses that provides extra energy to the alpaca on cold days. Soon the second cut orchard grass hay arrives to fill the barn loft, signaling that we’re fully stocked for the 6 months of cold ahead.
Next weekend we release the pheasants we’re raised from eggs - 6 females and 1 male. They’re beautiful birds and our hope is that they will free range on the farm property for years to come.
As I mentioned last week, I am designing a 12x12 foot tree house, ten feet up in an old oak tree. I put one of orchard ladders on the tree and climbed up 20 feet to assess the view.
With a tree house floor at 10 feet, my eyes will be at 16 feet. Here’s the view from the perspective of where the treehouse will be. The engineering required to keep a large tree house in the tree will include 2 nine inch tree attachment bolts, 4 cantilevers, and construction on the ground that it raised into the tree at the appropriate time.
I've marked the tree with builders twine at 8 feet and 10 feet. I've decided the floor will be placed at 10 feet. Next weekend, I'll pickup fourteen 2x8x12 joists and get started.
The upland area at Unity Farm will have a treehouse, what about the lowland near the marsh? I've toyed with the idea of weaving thin willow trees together to create a Hobbit House. More about that next week.
As president of the Mayo Clinic Platform, I lead a portfolio of new digital platform businesses focused on transforming health by leveraging artificial intelligence, the internet of things, and an ecosystem of partners for Mayo Clinic. This is made possible by an extraordinary team of people at Mayo and collaborators worldwide. This blog will document their story.
Thursday, August 27, 2015
Wednesday, August 26, 2015
The August 2015 HIT Standards Committee
The August 2015 HIT Standards Committee marked the beginning of an important transition.
As work on Meaningful Use winds down, it is being replaced with work on Obama’s signature precision medicine initiative and planning for the 2016 Interoperability Standards Advisory.
At the same time, many of the longstanding HIT Standards Committee members of have reached their term limits and are being replaced by new experts. I will leave the group in January.
We begin the meeting with a Precision Medicine Task Force Update by Leslie Kelly Hall and Jon White. As we think of the future of diagnosis and treatment, many patients want their lifetime healthcare information, including phenotype and genotype, available to clinicians so that best evidence can be applied care planning. This task force aims to ensure the common data set of the future includes all such data elements.
Next, we heard the Interoperability Standards Advisory Task Force Update by Robert Cothren, and Kim Nolen. This work is critically important (and very well done) because it outlines the direction of standards to be piloted, investigated and possibly adopted over the next few years. The “Dixie Baker Standards Maturity Model” was used when considering the readiness for adoptability of emerging standards and technology. The group recognized that regulation should only include those standards which have been tested in the real world and deemed appropriate for a particular purpose. The Interoperability Standards Advisory, which is sub-regulatory guidance, enables us to predict what the future will bring based on the trajectory of the industry. This is especially important if Meaningful Use regulation is deferred/delayed. Yearly publication of expert consensus advice about emerging standards for a list of enumerated use cases would be very helpful to the industry.
Finally, Steve Posnack, outlined the formation of a new task force to review the optimal vocabularies/code sets to be used in government mandated quality measurement programs.
The meeting did not include a discussion of the timing of new Meaningful Use regulations. All such material is still being reviewed by various agencies.
I look forward to the Fall discussion and the introduction of new committee members. As Wes Rishel has told us, if you change the committee, you change the consensus. Will Standards recommendations in the future take a different course? We must wait to see what new expertise joins the group in the months head.
As work on Meaningful Use winds down, it is being replaced with work on Obama’s signature precision medicine initiative and planning for the 2016 Interoperability Standards Advisory.
At the same time, many of the longstanding HIT Standards Committee members of have reached their term limits and are being replaced by new experts. I will leave the group in January.
We begin the meeting with a Precision Medicine Task Force Update by Leslie Kelly Hall and Jon White. As we think of the future of diagnosis and treatment, many patients want their lifetime healthcare information, including phenotype and genotype, available to clinicians so that best evidence can be applied care planning. This task force aims to ensure the common data set of the future includes all such data elements.
Next, we heard the Interoperability Standards Advisory Task Force Update by Robert Cothren, and Kim Nolen. This work is critically important (and very well done) because it outlines the direction of standards to be piloted, investigated and possibly adopted over the next few years. The “Dixie Baker Standards Maturity Model” was used when considering the readiness for adoptability of emerging standards and technology. The group recognized that regulation should only include those standards which have been tested in the real world and deemed appropriate for a particular purpose. The Interoperability Standards Advisory, which is sub-regulatory guidance, enables us to predict what the future will bring based on the trajectory of the industry. This is especially important if Meaningful Use regulation is deferred/delayed. Yearly publication of expert consensus advice about emerging standards for a list of enumerated use cases would be very helpful to the industry.
Finally, Steve Posnack, outlined the formation of a new task force to review the optimal vocabularies/code sets to be used in government mandated quality measurement programs.
The meeting did not include a discussion of the timing of new Meaningful Use regulations. All such material is still being reviewed by various agencies.
I look forward to the Fall discussion and the introduction of new committee members. As Wes Rishel has told us, if you change the committee, you change the consensus. Will Standards recommendations in the future take a different course? We must wait to see what new expertise joins the group in the months head.
Thursday, August 20, 2015
Unity Farm Journal - Third Week of August 2016
As I’ve mentioned before, farmers really do not take vacations. Life on the farm is a vacation. Compared to the stresses and anxieties of the real time connected world, hauling hay, cleaning barnyards, and growing vegetables is meditation.
During August, my “summer vacation” has consisted of working remotely Mondays and Fridays, giving me 4 day weekends on the farm. The hoop house is now done, fully wired with a 20 amp circuit for power/light, and stocked with our farm equipment. The workflow in the barnyard is substantially improved by having all the tools and machinery in close proximity. Our barns and outbuildings now have more room for animal care and food storage. Our re-engineering efforts have been successful.
As the summer winds down, my list of undone projects is shrinking. The late summer vegetables - tomatoes, eggplant, peppers, and squash - are all nearly harvested. Early fall plantings of lettuces are done.
All our vegetables are fully organic and the lack of pesticides/herbicides means that natural predators such as garden spiders, thrive in our hoop house. Here’s a photo of “Charlotte” and her eggs
Next weekend, I’m continuing to prepare the farm for winter, replacing a barn door, staining/painting aging wood, and repairing gates.
There may still be a project or two I can sneak in before the weather gets cold. How many times have you asked yourself - how do I build a 12 foot octagonal tree house 10 feet off the ground in a 50 foot oak tree….
During August, my “summer vacation” has consisted of working remotely Mondays and Fridays, giving me 4 day weekends on the farm. The hoop house is now done, fully wired with a 20 amp circuit for power/light, and stocked with our farm equipment. The workflow in the barnyard is substantially improved by having all the tools and machinery in close proximity. Our barns and outbuildings now have more room for animal care and food storage. Our re-engineering efforts have been successful.
As the summer winds down, my list of undone projects is shrinking. The late summer vegetables - tomatoes, eggplant, peppers, and squash - are all nearly harvested. Early fall plantings of lettuces are done.
All our vegetables are fully organic and the lack of pesticides/herbicides means that natural predators such as garden spiders, thrive in our hoop house. Here’s a photo of “Charlotte” and her eggs
Next weekend, I’m continuing to prepare the farm for winter, replacing a barn door, staining/painting aging wood, and repairing gates.
There may still be a project or two I can sneak in before the weather gets cold. How many times have you asked yourself - how do I build a 12 foot octagonal tree house 10 feet off the ground in a 50 foot oak tree….
Wednesday, August 19, 2015
FY16 Strategic Planning
As we gather together stakeholders for strategic planning of next year’s priorities, what are we hearing and what we have learned?
1. Clinicians are overwhelmed by the current demands of Meaningful Use, hundreds of quality measures, population health, care management, and patient/family engagement. All of these are good ideas individually but the sum of their requirements overwhelms providers. In an era when we’re trying to control costs, adding more clinical FTEs to spread the work over a large team is not possible. The end result is that providers spend hours each night catching up on the day’s documentation and are demanding better tools/automation to reduce their strain. However, current EHRs are in an early stage of development and are data capture tools rather than customer relationship management systems. As we gather requirements for FY16, we’re thinking about the projects that could be innovative breakthroughs, replacing human work with a next generation of technology and workflow.
2. The consumerization of software (BYOD devices and apps) has created infinite demand and high expectations. The difference between the $2 app and the $2 billion dollar EHR is that the $2 app is easier to use, more convenient and possibly even more useful. There is no question that EHR transactional systems will need to exist to support compliance and regulatory imperatives, but increasingly we’ll look to third party apps to provide modular functionality on top of the transactional systems.
3. The cloud is clearly the way that people want to work. Social networking ideas of collaboration, file sharing, availability anywhere/anytime, multiple device support, and convenience are driving forces. The good news is that Amazon Web Services offers low cost, HIPAA compliant hosting/storage/groupware/mobile support. We’ve learning as much as we can about AWS.
4. It’s increasingly difficult to balance supply and demand for IT. Stakeholders prefer to discuss the vision for the future rather than the details of allocating existing resources in the present. Incremental progress no longer feels satisfactory and users want a big leap forward. The solution to this quandary seems to be spreading work among as many parties as possible - IT, third party solution providers, business owners, power users, and energetic innovators. Unless there is a sense of federated collaboration, build and buy, central and local support, IT will be seen as the rate limiting step
5. ICD10, the Affordable Care Act, Meaningful Use, and the HIPAA Omnibus rule may be the focus of regulators and legislators, but they are not the focus of most users. Stakeholders want to know when their projects will be accelerated and when the distraction of federal regulations will end. Big change management projects in IT are hard on users, forcing them to accept decreased short term service for long term gains. The problem is that the agenda of most IT departments has been co-opted by federal programs and the users are no longer willing to wait. This is one of the reasons I have suggested that Meaningful Use Stage 3 be deferred. Providers and the industry need more time to catch up on all the deferred projects and adjust to the thousands of pages of new regulations that have already been finalized.
With these observations, what are we planning to do in FY16? Over the next month, we will present a 5 page list of “bottom up” stakeholder enumerated high priority projects, categorized as core, advanced, and innovative.
Stakeholders will refine these categorizations and I hope they will collaboratively agree on focus areas for the FY16 and beyond. I look forward to optimizing our governance, our projects, and our vision to accommodate the needs of stakeholders in the post Meaningful Use era.
1. Clinicians are overwhelmed by the current demands of Meaningful Use, hundreds of quality measures, population health, care management, and patient/family engagement. All of these are good ideas individually but the sum of their requirements overwhelms providers. In an era when we’re trying to control costs, adding more clinical FTEs to spread the work over a large team is not possible. The end result is that providers spend hours each night catching up on the day’s documentation and are demanding better tools/automation to reduce their strain. However, current EHRs are in an early stage of development and are data capture tools rather than customer relationship management systems. As we gather requirements for FY16, we’re thinking about the projects that could be innovative breakthroughs, replacing human work with a next generation of technology and workflow.
2. The consumerization of software (BYOD devices and apps) has created infinite demand and high expectations. The difference between the $2 app and the $2 billion dollar EHR is that the $2 app is easier to use, more convenient and possibly even more useful. There is no question that EHR transactional systems will need to exist to support compliance and regulatory imperatives, but increasingly we’ll look to third party apps to provide modular functionality on top of the transactional systems.
3. The cloud is clearly the way that people want to work. Social networking ideas of collaboration, file sharing, availability anywhere/anytime, multiple device support, and convenience are driving forces. The good news is that Amazon Web Services offers low cost, HIPAA compliant hosting/storage/groupware/mobile support. We’ve learning as much as we can about AWS.
4. It’s increasingly difficult to balance supply and demand for IT. Stakeholders prefer to discuss the vision for the future rather than the details of allocating existing resources in the present. Incremental progress no longer feels satisfactory and users want a big leap forward. The solution to this quandary seems to be spreading work among as many parties as possible - IT, third party solution providers, business owners, power users, and energetic innovators. Unless there is a sense of federated collaboration, build and buy, central and local support, IT will be seen as the rate limiting step
5. ICD10, the Affordable Care Act, Meaningful Use, and the HIPAA Omnibus rule may be the focus of regulators and legislators, but they are not the focus of most users. Stakeholders want to know when their projects will be accelerated and when the distraction of federal regulations will end. Big change management projects in IT are hard on users, forcing them to accept decreased short term service for long term gains. The problem is that the agenda of most IT departments has been co-opted by federal programs and the users are no longer willing to wait. This is one of the reasons I have suggested that Meaningful Use Stage 3 be deferred. Providers and the industry need more time to catch up on all the deferred projects and adjust to the thousands of pages of new regulations that have already been finalized.
With these observations, what are we planning to do in FY16? Over the next month, we will present a 5 page list of “bottom up” stakeholder enumerated high priority projects, categorized as core, advanced, and innovative.
Stakeholders will refine these categorizations and I hope they will collaboratively agree on focus areas for the FY16 and beyond. I look forward to optimizing our governance, our projects, and our vision to accommodate the needs of stakeholders in the post Meaningful Use era.
Thursday, August 13, 2015
Unity Farm Journal - Second Week of August 2015
Although there really is no such thing as vacation for a farmer, I am trying to work from home on Mondays and Fridays in August. I saved on commute time and had a few hours free between phone calls to catch up on the University of Massachusetts Farming and Sustainability courses that my wife and I are taking. It’s finals week and my 22 year old daughter was very amused by my comments - “I have a paper to write, a final study for, and 300 pages of reading, where will I find the time?”.
At this point, the course is done and I’ve learned a great deal about post harvest management of fruits and vegetables.
Our barnyard redesign is making good progress and we’ve laid down a new roadbed of crushed rock and top dressed it with gravel. The new hoop house to store all our farm equipment is going up - it’s a kind of barn raising at a small scale. Here’s what the process looked like, including the extra help from the geese
Our barnyard is pure New England soil filled with rocks, roots, and gravel. Pounding 14 footings 2.5 feet deep was really challenging. Some were easy and some required a post hole digger/crowbar/axe combination. It all worked in the end and we’ll add the polyethylene to the frame next Saturday once the wirelock channels for attaching the plastic arrive.
As you can see, the Terex now has a year round home in the barnyard and soon all our machinery will be in this new hoop house, ready to use where it is needed most, next to the animals, outbuildings, and paddocks.
Kathy is hard at work making sun dried tomatoes from the 10-15 pounds I pick every evening.
Next week I'll bottle a few kegs of honey lager and a mild British Bitter. As Fall approaches I'm planning on the Porters and Stouts that will carry us through winter.
During the August vacation hiatus my writing slows, but more IT related posts are in the works about our FY16 application and infrastructure strategic planning process. More to come soon.
At this point, the course is done and I’ve learned a great deal about post harvest management of fruits and vegetables.
Our barnyard redesign is making good progress and we’ve laid down a new roadbed of crushed rock and top dressed it with gravel. The new hoop house to store all our farm equipment is going up - it’s a kind of barn raising at a small scale. Here’s what the process looked like, including the extra help from the geese
Our barnyard is pure New England soil filled with rocks, roots, and gravel. Pounding 14 footings 2.5 feet deep was really challenging. Some were easy and some required a post hole digger/crowbar/axe combination. It all worked in the end and we’ll add the polyethylene to the frame next Saturday once the wirelock channels for attaching the plastic arrive.
As you can see, the Terex now has a year round home in the barnyard and soon all our machinery will be in this new hoop house, ready to use where it is needed most, next to the animals, outbuildings, and paddocks.
Kathy is hard at work making sun dried tomatoes from the 10-15 pounds I pick every evening.
Next week I'll bottle a few kegs of honey lager and a mild British Bitter. As Fall approaches I'm planning on the Porters and Stouts that will carry us through winter.
During the August vacation hiatus my writing slows, but more IT related posts are in the works about our FY16 application and infrastructure strategic planning process. More to come soon.
Thursday, August 6, 2015
Unity Farm Journal - First Week of August 2015
My daughter returns from Japan on Friday and we’ll hear all about her Summer traveling with David, her fiance. They plan to marry next year once Lara has finished her Tufts studies. Lara is a Japanese major. Will they live and work in Japan? The future is theirs to make. We look forward to a wedding on the farm next year!
Although August is typically the hottest point of summer, we’re already preparing or winter.
August is the time that bees need extra nutrition to build up comb and food stores during a dearth of nectar caused by the dry/hot August weather. We’re adding “bee tea”, a mixture of sucrose, spearmint, and bee balm to feeders in every hive. We’re adding pollen patties (a soy-based protein supplement). We’re making sure they have access to flowing water - the various fountains around the farm. We’re very selective in our harvesting of honey, leaving 80% for the bees. This week we harvested 30 pounds, a portion of which became 3 kegs of Unity Farm Honey Lager.
We did an inventory of the creatures living at Unity Farm and the current count is 126
60 Guinea fowl
9 Three year old chickens
9 Ten week old chickens
7 Nine week old chickens
4 Six week old chickens
8 Ducks
3 Geese
2 Great Pyrenees Mountain Dogs
3 Cats
13 Alpaca
1 Llama
7 Pheasants (to be released into the wild Labor Day weekend)
That does not include the 250,000 bees.
Every day these animals need food, water, and attention. The dogs get two runs a day. The geese follow Kathy during her daily routines. The ducks, chickens, and guineas spent 12 hours a day wandering the forest and scratching for worms in the barnyard. Our role is to keep them protected from predators, keep the peace among all the various species/age groups, and to provide medical care for infections or any physical harm they experience. All the poultry free range, so our evenings include herding the young chickens into the coop during the period they are learning how to integrate into the pecking order. This season, we've only lost one chicken, which fell into a 50 gallon watering trough. We’ve since removed the trough, placed all water buckets on wall brackets, and standardized on enclosed watering systems for the birds.
As part of our effort to redesign the barnyard, we now manage manure 1000 pounds at a time using a 12.5 cubic foot dump cart with a trailer hitch attachment for the Terex front loader. In the past we stored 10,000 pounds of manure in a composter in the barnyard and moved it once in the Spring and once in the Fall. Now we can move it in smaller batches, reducing the size of our storage area, and the mess of a 10,000 pound move one Terex bucket at a time. So far, so good.
Kathy and I are continuing our University of Massachusetts Farming and Sustainability Certificate program. Our current course in post-harvest produce management has been very helpful. The hundreds of pounds of fruits and vegetables we've harvested this season are now stored in exactly the right temperature, humidity, and ventilation conditions. With every passing day, we're becoming better farmers and learning from our mistakes. When the zombie apocalypse comes, we'll be sustainable!
Although August is typically the hottest point of summer, we’re already preparing or winter.
August is the time that bees need extra nutrition to build up comb and food stores during a dearth of nectar caused by the dry/hot August weather. We’re adding “bee tea”, a mixture of sucrose, spearmint, and bee balm to feeders in every hive. We’re adding pollen patties (a soy-based protein supplement). We’re making sure they have access to flowing water - the various fountains around the farm. We’re very selective in our harvesting of honey, leaving 80% for the bees. This week we harvested 30 pounds, a portion of which became 3 kegs of Unity Farm Honey Lager.
We did an inventory of the creatures living at Unity Farm and the current count is 126
60 Guinea fowl
9 Three year old chickens
9 Ten week old chickens
7 Nine week old chickens
4 Six week old chickens
8 Ducks
3 Geese
2 Great Pyrenees Mountain Dogs
3 Cats
13 Alpaca
1 Llama
7 Pheasants (to be released into the wild Labor Day weekend)
That does not include the 250,000 bees.
Every day these animals need food, water, and attention. The dogs get two runs a day. The geese follow Kathy during her daily routines. The ducks, chickens, and guineas spent 12 hours a day wandering the forest and scratching for worms in the barnyard. Our role is to keep them protected from predators, keep the peace among all the various species/age groups, and to provide medical care for infections or any physical harm they experience. All the poultry free range, so our evenings include herding the young chickens into the coop during the period they are learning how to integrate into the pecking order. This season, we've only lost one chicken, which fell into a 50 gallon watering trough. We’ve since removed the trough, placed all water buckets on wall brackets, and standardized on enclosed watering systems for the birds.
As part of our effort to redesign the barnyard, we now manage manure 1000 pounds at a time using a 12.5 cubic foot dump cart with a trailer hitch attachment for the Terex front loader. In the past we stored 10,000 pounds of manure in a composter in the barnyard and moved it once in the Spring and once in the Fall. Now we can move it in smaller batches, reducing the size of our storage area, and the mess of a 10,000 pound move one Terex bucket at a time. So far, so good.
Kathy and I are continuing our University of Massachusetts Farming and Sustainability Certificate program. Our current course in post-harvest produce management has been very helpful. The hundreds of pounds of fruits and vegetables we've harvested this season are now stored in exactly the right temperature, humidity, and ventilation conditions. With every passing day, we're becoming better farmers and learning from our mistakes. When the zombie apocalypse comes, we'll be sustainable!
Wednesday, August 5, 2015
The Security of Medical Devices
Last week the U.S. Food and Drug Administration advised hospitals not to use Hospira's Symbiq infusion system, concluding that a security vulnerability enables hackers to take remote control of the system. The agency issued the advisory some 10 days after the U.S. Department of Homeland Security warned of the vulnerability in the pump.
My view is that this will be the first of many advisories
For years, manufacturers of medical devices depended on the “kindness of strangers” assuming that devices would never be targeted by bad actors. EKG machines, IV pumps, and radiology workstations are all computers, often running un-patched old operating systems, ancient Java virtual machines, and old web servers that no one should currently have deployed in production.
In the short term, hospitals must do their best to isolate medical devices from the internet and from other computing devices that could infect them. At BIDMC, we have three wireless networks
A guest network for patients and families
A secure network for clinicians and staff
A device network for medical devices that is not connected to the internet or the other two networks.
Further, we use firewalls around medical devices to prevent them from communicating to outside parties.
Over the past few years, I’ve asked medical device manufacturers to give me a precise map of the network ports and protocols used by their devices so that I can build a “pinpoint” firewall - only allowing the minimum necessary transactions from/to the device. Many manufacturers do not seem to know the minimum necessary communication requirements for their products.
A few years ago, BIDMC had a reportable breach when a medical device manufacturer removed our hospital provided security protections in order to update a device from the internet. It took about 30 seconds for the unprotected device to become infected and transmit data over the internet. The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, which was responsible for the breach. We were advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital provided security protections in the future.
Some manufacturers have claimed that adding operating system patches, intrusion detection/prevention and other cybersecurity defenses will require them to re-certify their devices with the FDA.
That is simply not true. The FDA has issued guidance declaring it the responsibility of the manufacturers to secure their devices. No re-certification will ever be needed for adding new protections.
In the short term, CIOs need to build “zero day” defenses, creating an electronic fence around vulnerable devices. In the medium term, manufacturers must update their products. In the long term, medical devices must be designed from the ground up with security as a foundational component.
Whenever I write about a topic, I avoid hyperbole. In this case, the threat is real, I have experienced it myself, and CIOs must act.
My advice, after securing your own perimeter - get the CTOs of your medical devices on the phone and ask them for their security roadmap. If they do not have one, plan to change your vendor. We’re already doing that with some devices because attention to this issue by some manufacturers has been insufficient.
My view is that this will be the first of many advisories
For years, manufacturers of medical devices depended on the “kindness of strangers” assuming that devices would never be targeted by bad actors. EKG machines, IV pumps, and radiology workstations are all computers, often running un-patched old operating systems, ancient Java virtual machines, and old web servers that no one should currently have deployed in production.
In the short term, hospitals must do their best to isolate medical devices from the internet and from other computing devices that could infect them. At BIDMC, we have three wireless networks
A guest network for patients and families
A secure network for clinicians and staff
A device network for medical devices that is not connected to the internet or the other two networks.
Further, we use firewalls around medical devices to prevent them from communicating to outside parties.
Over the past few years, I’ve asked medical device manufacturers to give me a precise map of the network ports and protocols used by their devices so that I can build a “pinpoint” firewall - only allowing the minimum necessary transactions from/to the device. Many manufacturers do not seem to know the minimum necessary communication requirements for their products.
A few years ago, BIDMC had a reportable breach when a medical device manufacturer removed our hospital provided security protections in order to update a device from the internet. It took about 30 seconds for the unprotected device to become infected and transmit data over the internet. The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, which was responsible for the breach. We were advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital provided security protections in the future.
Some manufacturers have claimed that adding operating system patches, intrusion detection/prevention and other cybersecurity defenses will require them to re-certify their devices with the FDA.
That is simply not true. The FDA has issued guidance declaring it the responsibility of the manufacturers to secure their devices. No re-certification will ever be needed for adding new protections.
In the short term, CIOs need to build “zero day” defenses, creating an electronic fence around vulnerable devices. In the medium term, manufacturers must update their products. In the long term, medical devices must be designed from the ground up with security as a foundational component.
Whenever I write about a topic, I avoid hyperbole. In this case, the threat is real, I have experienced it myself, and CIOs must act.
My advice, after securing your own perimeter - get the CTOs of your medical devices on the phone and ask them for their security roadmap. If they do not have one, plan to change your vendor. We’re already doing that with some devices because attention to this issue by some manufacturers has been insufficient.