The Evolution of Healthcare Asset Management

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The complexity of managing physical and virtual assets in increasingly digital healthcare environments creates a dauting task for security professionals. Fortunately, some promising technologies and standards are beginning to emerge to help evolve capabilities for identifying, tracking, and securing healthcare assets across the enterprise.

In this episode with Susan Ramonat, CEO of Spiritus, we discuss trends in asset management standards development, distributed ledger technology, medical device tracking, regulatory activity, and more.

Highlights of the discussion include:

  • The future of healthcare asset management including service models, unique identifiers (UDI), RFID, geolocation services, and predictive analytics
  • Lessons learned from Scotland's deployment of distributed ledger technology in the healthcare provider setting
  • Software Bill of Materials (SBoM) standards from the FDA and other groups like National Telecommunication and Information Administration (NTIA)
  • Using distributed ledger to help with infection control from asset movement for outbreaks like the coronavirus
  • Software and data asset management approaches
  • The role of IoT and IoMT technology solutions
  • People, process, and governance considerations for healthcare asset management programs
  • Responding to industry-wide medical device vulnerabilities like Urgent 11
  • Proposed federal investments for the FDA for medical device security

As CEO of Spiritus, Susan draws upon 25 years of executive experience in financial services and healthcare with roles in enterprise risk management, product management, technology strategy, corporate development, operational risk management, and cybersecurity.

She speaks frequently at industry conferences and universities about DLT/blockchain, artificial intelligence, IoT and cybersecurity for critical infrastructure. The Spiritus technology solution connects the dots to ensure medical devices are safe and in good order at the point of care. More broadly, their experts support health systems and rewire their GRC processes for digitally-enabled clinical operations.


[00:00:17] Welcome to CyberPHIx, the audio resource for information security and privacy, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we'll be bringing you pertinent information from thought leaders and healthcare information, security and privacy. In this episode, we have the opportunity to speak with Susan Ramonat, who is the CEO of Spiritus. And has extensive experience both inside and outside of healthcare with our topic of asset management, distributed ledger technology and medical device security. So let's dive right into it this week.

[00:00:54] Hello, welcome to CyberPHIx. This is your host, Brian Selfridge. I would like to welcome our guest, Susan Ramonat. As CEO of Spiritus, Susan draws upon 25 years of executive experience in financial services and healthcare. With roles in enterprise risk management, product management, technology strategy, corporate development, operational risk management, and cybersecurity. Plenty of coverage there for us to talk about. She speaks frequently at industry conferences and universities about distributed ledger technology and block chain, artificial intelligence, IOT, and cybersecurity for critical infrastructure. The Spiritus Technology Solution connects the dots to ensure medical devices are safe and are going to work at the point of care. More broadly, their experts support health systems to rewire their GRC processes for digitally enabled clinical operations. So a lot of worthy missions there for us to discuss and experience to tap into. And I'm excited to speak with Susan today about asset management, distributed ledger technology, and her experience with IOT and medical devices. So all of that said, Susan, welcome so much to CyberPHIx. Thank you for joining us.

[00:01:59] Delighted to join you.

[00:02:00] Great. I'm looking forward to talking about asset management in particular. That seems to be the issue that continues to be a mess for healthcare entities in terms of both their physical and software asset management lifecycle, I think our audience knows well that challenge, and then you throw out medical devices into the mix, and it gets even trickier these days. So we're looking forward to hearing your thoughts on some of the pragmatic approaches that organizations use to take advantage of emerging technologies like distributed ledger and related processes. So can you help us imagine, with some of these new technologies, what would asset management look like in the future, five to 10 years if we put in all this cool tech? What do you think distributed ledger and other technology could do for us in the grand vision of the future?

[00:02:47] Well, certainly when you talk about a time horizon like five to 10 years, you need to think in strategic mode. And emerging technologies need and should be brought to bear. A key point here is service model fragmentation, whether it's the biomed in clinical engineering teams, the health system, the manufacturer's representative, a certified representative said of the manufacturer, has that on their behalf or a third party service provider engaged by the health system. Now, you could have any and all service models across an asset inventory that it could be in a hundred thousand or more totals, when you start to look at hundreds of beds. So clearly this environment is quite complicated. And it said a service environment that I think is a real challenging one. While technologies are important to that, this is a fundamental business, a commercial issue that's quite fraught with a lot to address. That said, taking that time horizon out, certainly, cornerstones in terms of progress will be data standards. Here, I'm thinking of unique device identifiers, UDI, as required by the FDA. I think that manufacturers, health systems, and tech providers now recognize the division for UDIs is ambitious, but there's a lot of sleeves rolled up work to be done in the coming years to ensure that device identifiers with the device and product information goes up and down through the supply chain and importantly into the EHR, so you're able to carry device information right down to the patient. Should there be adverse events, you want to  report back or recalls you need to act on and hear how security becomes significant and important. There's a lot of work to be done, a lot of detail here, a weaving together from integration standpoint. So whether it's use of data standards and EDI and then wiring up an integration of systems within the health system, connection to their distributors as well, there's a lot of work to be done there. That's  foundational and very important. So I don't want to lose sight of that.

[00:04:57] When I pull back the lens to look at emerging technologies back to that service model, one thing that's lacking is the ability, as we have and when we think about used cars, to have, if you will, a CarFax for a medical device. Because of that fragmented service model, it's very difficult to create a chain of custody reflecting changes in ownership through the operating life of an asset. As Well as physical movements and location, and importantly, a single service history view, where parties are able to share, selectively, data information about the device service activities, whether those are routine maintenance and repair, inspection testing and certification work could be calibration, as well, recalls the corrective actions that have been taken and then as a device moves through its decommissioning cycle and potentially to an afterlife, if you will, a second life, either through auction or direct sale, a service history that might be portable.

[00:05:59] So being able to bring that to life. This is where a distributed ledger is fascinating, because the extent that you have the ability to selectively share data on a shared registry with the appropriate permissions among the parties to ensure only that data that's necessary to provide assurance at the point of care is shared. Recognizing the interests of the various parties, but really being able to capture that service history and any updates to that. Regardless of the actor, it's specific to the asset. And with it associate artifacts and attestations as to the work that's been done. So it might be the replacement of a power supply or an insulin set for infusion pump. It may well be a patch. That's a routine patch or unfortunately, to the extent, there may be a vulnerability identified. Likewise, a patch or an upgrade that has been performed, regardless of the party involved. So that's the distributed ledger piece. I'm certainly happy to to share more about that. But if I round the picture out, other technologies that are important and uptake will be important, here is the use of RFID, whether active or passive, scanning technologies more generally at the point of care, geolocation services. And importantly, putting to work the analytics that you'll be able to drive over time and getting in on your front foot with predictive analytics. So here, whether it's a machine learning based or otherwise, those are the technologies I see bringing to bear over the next five or 10 years.

[00:07:36] That's great. So if there are emerging and we've got DLP, we've got predictive analytics, we've got all this cool stuff coming out. How heavy is the lift for some of these implementation? Is this something that we have got to go all in on and do a big implementation lift? Is there any way to dip our toe in the water with laying the groundwork for some of these cool technologies?

[00:07:56] Sure. Probably good to put that in context of what is most visible and viable in the short run, that there's value from the standpoint of health delivery organization. And what are those things that are in their Genesis stage? And not quite visible or just moving into sort of a custom environment that we can see productized? And how does that sit up with those things that are commodity offerings down the road, you know, that are, whether standards based or otherwise, the technologies you're counting on. Surely from the standpoint of what you're trying to deliver in terms of clinical outcomes, surely that performance from a procurement standpoint, assurance and the sound risk management, you do want to have the ability to take that full asset servicing lifecycle into account, be able to accommodate enterprise asset management systems, CMMS systems, that are in the market. I think there's going to be a lot of progress there in terms of bringing that together with a predictive maintenance, certainly on capital equipment. And you know, there's more expensive devices with a long involvement. But remote monitoring and management as well will come into play. When I pulled back the lens and look at distributed ledger, the other thing I would offer is progress on software bill of materials.

[00:09:14] So let me cover that piece first and then come back to the distributed ledger. As your audience may be aware, the FDA is looking sometime this year to get draft guidance out on a software bill of materials. What they may not be aware of is the National Telecommunications and Information Agency has, for over a year, had a working group working on software component transparency, otherwise known as an S bomb. That group, after 18 months of good work, is now starting a stage two of its work. This is cross-industry. It involves key components of the Linux community, as well as generally in the agencies, experts and security. Importantly, the only industry that's actually had a proof of concept that's involved both manufacturers and their clients is healthcare. Many of the top device manufacturers have been involved in a number of leading health systems as well. So that healthcare POC will be working back and forth in the coming months with a team that is working on standards and formats and minimum viable S bomb, if you will. And then tracking that through the healthcare POC, so that health delivery organizations on their side are saying, this is the data that we would expect. Here's the formats and standards. And then manufacturers be able to look at that software bill of materials and, based on standards, how they might communicate that information timely, whether it's for asset management, generally, maintenance recall or other purposes. So I think that's in a promising initiative that I encourage your audience to stay abreast of. If they check out the NTIA website, they'll see information there and certainly open for additional participation. And that group will be meeting down in D.C. in April. I hope to join that group that at that time.

[00:11:15] On the distributed ledger side, certainly more progress in enterprises over the last several years. Financial services has progressed significantly. This is where my own familiarity with a distributed ledger, block chain arises from. We now are at the point where we do have enterprise grade protocols, if you will, that allow for selective data sharing among parties that is going across industry sectors. There's a lot of talk in healthcare about medical records and the pharmaceutical supply chain. Not as much about medical devices. I think we're exceptional in that sense that there are few folks that are realizing the opportunity here. And importantly, while the technology is making significant progress, and there's opportunity to experiment with different protocols, if you will. Importantly, key points that are here are governance and bringing together a consortium of interested players. A group of the willing, if you can think of it that way, who understand the importance of collaborating. So in the case of pharmacy, you have some of the top pharmaceutical manufacturers collaborating with shipping entities as well, picking up contract research organizations and supply chain partners. That would be an example of parties collaborating in a consortium. And here governance starts to matter. What data are we sharing? Where our legal protections? How do we handle privacy? How do we stand up operating as well as development environments to support the nodes, if you will, around the distributed ledger?

[00:12:56] And then what is it we're trying to accomplish around this case? What does success look like? This oftentimes is an area that it takes quite a bit of work and a lot of back and forth, a lot of iteration, having lead organizations, key sponsors, technology partners. And I don't want to lose sight here. Regulators are certainly involved in a price as well. The FDA and HHS more generally have given indications that they'd like to see more experimentation across a whole variety of use cases that intersect with their interests from a healthcare standpoint. And there's plenty of interest among the major health systems and, I think, a number of the manufacturers. So I'm much encouraged. I do think there's still some heavy lift here, however.

[00:13:43] So we're typically very hyper-focused on the U.S. environment, the FDA and U.S. healthcare system. But I understand you've got a really exciting project going on in Scotland with the government there around distributed ledger, for their health system. I was wondering if you could tell us a little bit about that. Any potential lessons learned that may be coming away with there that you think might be applicable here for us in the States?

[00:14:04] Surely just for your U.S. audience, the National Health Service in Scotland is actually overseen by the Scottish government as a devolved power. We were fortunate in the sense in working with the National Health Service and with the benefit of grants that brought in a university researcher who specializes in cybersecurity and block chain to undertake a pilot with the National Health Service. Their Shared Services Board and shared services organization with technology responsibility, but bring in requirements for a variety of these regional boards. Everything from beds hoists and diffusion pumps to implantable defibrillators, they're software enabled MRI machines and the like. We learned a lot. We were able to still around requirements, around the technology, insights around the use of a variety of systems. Unfortunately, there is no uniform technology implementation, even in a small country like Scotland. So some of the same problems that are experienced here in the states, they have this well. We conducted a simulation from a pilot that allowed us to bring together not only the distributed ledger to create the single service history, but we were as well able to take advantage of a simulated hospital environment, capture signals off of tagging, and then using a geo location service enabled by a GIS, create a mapping capability with a building information model or cat or can drawings as well as a geo location service that would take us to multiple facilities. So if you envision, a recall, bringing in a recall and saying, show me where all these infusion pumps are across facilities. Drilling down to those facilities and then picking up the specific location by ward and by floor, we were able to do that.

[00:15:59] It's an interesting, provocative use case, because if you extend that out to your audience's broader concern about other assets that might be on their network. We were able to pause at each case that would involve potentially infection control. So you could be looking at IOT, where you have environmental sensors and other information staff, potentially with I.D. badges that are tracking them as well. So you could roll time forward and backward, connecting the movements of an asset, say, an infusion pump or a surface that was identified and associated with patients that had a suspected suction. Roll time forward and backward and identify, if you will, patients and our staff assets that were in areas of interest as potential sources of infection or have been exposed to infection. So I mentioned that for your audience, because I think it's helpful to illustrate that a medical device focused solution and some of these areas. Sitting within the fabric of overall IOT enablement, RFID scanning and tagging technologies, that these can be complementary technologies in that there are a broader set of use cases at the same time, as they provide a whole set of challenges from cyber and privacy standpoint as well.

[00:17:18] I think infection control is certainly top of mind for a lot of folks these days with some more prominence infections roaming around the globe. So let's hope

[00:17:26] Yes.

[00:17:27] Although it would be nice to know they were to do something. So, Susan, we think about assets, and we often appropriately think about physical assets, our servers, workstations, IOT devices, mobile devices, all this good stuff. So what about less tangible assets like data, assets, software assets and trying to figure out where our data is going, to third-parties in the health system?  This may be a naive question, so you can yell at me, is there a role for distributed ledger or other similar technologies to help with software assets or data assets potentially somewhere down the line?

[00:18:10] Great. It's a good question. And with distributed ledger, there are questions that are fundamental that ought to be asked again and again. So on its face, certainly from the beginning, when considering healthcare, many have looked at the ability to track entitlements and authorizations for movement of data around the electronic health record. I don't think it's much of a reach to say you might do that around data more generally. However, now you're starting to embed into applications. So the ask is more significant. But I know from my financial services background as well, we were, almost from the beginning, looking at, from a system standpoint, how we might track movement and authorizations and access to data. So I don't want to close the door to that. There's certainly deep technical issues around that. But the idea of being able to have, if you will, a provenance around data is important. Step back into the medical device area, though, and say to the extent that over time device manufacturers are introducing adaptive algorithms or machine learning A.I. algorithms into their medical devices as part of the diagnostic or therapeutics for those. Whether it's to accompany a device as software on board or software as a medical device. FDA guidance, back in the summer of 2019 on adaptive algorithms at machine learning in A.I., certainly highlights strong software development lifecycle management practices and importantly, procedures for update.

[00:19:54] So if I step back to your question, it's interesting and provocative to suggest to the extent that data sets are being used to inform your intermediate models and the parameterization of your machine learning models and then ultimately, decision to deploy into this field, either an updated algorithm that either does a finer job across the patient population or identify sub populations. Surely the extent that you could rely on, if you will, the chain of custody around the data sets, the intermediate algorithms and models and the actual deployments and trace the provenance of those and the deployment of those. Distributed ledger might be a promising addition to that. Now, doing that at scale would be a whole other issue. Machine enabled at scale, tens of thousands of end devices, if you will, and patients. That would be challenging. So I would think that any initiatives would be rather modest initially and just trying to prove out the capability before you start asking scale questions.

[00:21:03] I think that's a great point around scale and some of these technologies and their time to market. There's a lot of great work going on. Regulators are getting involved. We see some promising use cases. But healthcare, I think, contrary to perhaps other industries like financial services, tends to walk, crawl, run, maybe lots of crawling, crawling as usual. Absent these emerging technologies like distributed ledger, what's your take on some of the other emerging solutions hitting the market for IOT medical saying some of those scanning tools? Do you think that they are providing value now? And will they be helpful, sort of bridging the gap to the future of distributed ledger? What's your take on the solutions just generally at this point?

[00:21:51] So certainly, we'd like to think that the device manufacturers, whether they're on the medical device side of things or IOT enabled, that they are extremely sophisticated in terms of security, by design, taking into account the kind of scale. But importantly, go back to my software bill of materials, that their own supply chain rigor due diligence and ability to maintain a vigilant stance as to potential exposures and vulnerabilities over time, whether it's open source components or, frankly, hardware and chipsets and the like, sensors, that they have very sophisticated capabilities. So here I get a little concerned with small firms with low cost products and components, that that work be done as rigorously and  vigilantly as possible. That said, this software bill of materials initiative I'm working for, should be both a flagship, if you will, of direction folks should go, but also discriminator as to, if you will, there will probably be firms that would attest to certain, they need a certain level one, level two, level three standard as to best practice. And what they're able to enable and support and verify that they've done in terms of their practices. This isn't unique to healthcare. It's going to be a broader challenge. Unfortunately, the burden of legacy devices equipment is so substantial that, while a health system probably could setup really strong practices in terms of the new things coming in the door and work collaboratively with industry to really establish the bar, there's always going to be this tradeoff and challenge with the legacy, environment and systems.

[00:23:36] In the end, what you're talking about, whether it's from the device manufacturer, the health delivery organization, or the intermediate or commodity suppliers whose components are represented in this. It's a developing condition, that you've got sort of tone at the top, management commitment, which is a matter of education on the part of the professionals in the health delivery organization about why this is important, an education that's not a one time meeting. You know, it's an education over time and builds over time. So the organization really has it as a standard that's reinforced by the executive team. And the underlying behaviors and incentives are aligned. And that put your technology teams where they're coming from, the traditional IP or the operational technology side. Showing the biomed and clinical specialists on a better footing, because everyone comes to work every day wanting to do the best they can. But having that sit in the context where there's a strong executive support and the associated behavioral and structural arrangements to reinforce sound solutions, I think is critical.

[00:24:40] So we've been talking a lot about the technology, which is great. I think that's where we need to enable a lot of these emerging use cases and get our act together, frankly, to start to scale, as you said, on this whole challenge. But absence spending additional capital on tech in the near term or long term. I've always enjoyed speaking with you this week because we always tend to hone in on people at process, which I think is the last thing left to the discussion, unfortunately, when we get into these projects. But is there anything that can be done from a people and process side now to reduce asset and medical device risks using existing tech and capabilities and, let's say, typical health system that you could recommend?

[00:25:22] Well, certainly the tool sets that you have today are important, but most health systems are looking at not only the asset servicing component of this and working with the collaborators, but some form of medical device, cyber tools, ensuring they have adequate device inventories and then getting in information about C.Ds, doing vulnerability scans, pen testing, and like. Those are those are cornerstone tool sets, if you will. But really important, and I think this puts an exclamation point on it, is the importance of collaboration across your I.T., your security teams, your network teams, clinical operations, certainly legal and compliance, your enterprise risk teams and the Biomed clinical engineering teams really at the center. There's no escaping the importance of that collaboration. And it's not just enough to sit in a room and talk about common problems, but if you will, I think focus on scenario based teasing out of these cases and issues that have arisen in the past using potentially vulnerabilities or incidents that have been identified outside your system. You know, what if type discussion. And make sure you get down to sort of the three degrees of separation of how this is all connected back. If I think about all those different just disciplines and functional domains and how they work together, play out a scenario and drive it down two and three levels at least to see the interconnections and put pressure on yourself to say, to what extent do I need the collaboration internally? And then importantly, how do I bring in my third-party partners, whether they're represented by the technology tools or they actually legitimately are part of my supply chain.

[00:27:16] What does that collaboration look like? So scenarios might be around a specific device and handling it, identify vulnerability. We certainly can draw on some recent examples like the urgent Levin case study, which was unfortunately really very alarming for many health systems. Or you might look at a cyber attack simulation without boiling the ocean there. Understand that it's really important to be able to bring in not only those third-parties that you engage with your suppliers and your supply chain, but importantly state hospital associations and others where you really are starting to recognize that if you've got an issue, that could ultimately compromise your ability to operate and that it could affect and have knock on effects for other health systems in your region, first responders and otherwise, I think, having come from an enterprise risk background, there's great value in getting people and process down to workflows in challenge settings, in a critical setting and know and understand and put yourself through those exercises. That really starts to build a collaboration. I think importantly, respect for one another, in terms of the expertise you have to bring to bear, and not have to exercise those for the first time when you're under stress and challenges.

[00:28:36] So we talked about the FDA a bit and the regulators needing to be in the mix here and collaborating with them and collaborating with industry. So I saw the White House proposed an 18 million dollar budget line item for medical price security directed toward the FDA just a couple weeks ago. Now, that still has to get to Congress and there seems to be at least general bipartisan support for this issue. But what are some of the things you think the FDA and other regulators could do with federal funding to improve the status quo on medical device security in particular?

[00:29:12] Well, certainly the 18 million is better than nothing, but I think continuing to double down on their unique device identifier work, take input from health delivery organizations, as well as manufacturers and I.T. organizations about what's getting in the way, how they can better utilize the good I.D. system. Other initiatives include their National Surveillance System, as well as an insistence on post market surveillance and adverse event management. That tends to be focused on performance. You know, an adverse event, perhaps more understanding that cyber needs to fit within that more explicitly would be really of value from the FDA. I've alluded to the Software Bill of Materials initiative, as well as the work on machine learning and A.I.. I think that it's really important to sink all these things up and they tend to look like separate threads. The other piece, and it's somewhat where I started this was around servicing. The team at the FDA certainly took the initiative about a year and a half ago to conduct a two day workshop involving device manufacturers and health delivery organizations and servicing organizations, some of the biggest players, to talk about how they can collaborate more in creating a shared understanding of issues around the device and the servicing of the device. These are all connected, all of these initiatives. I think it's important for the FDA to see them as connected and not see cybersecurity as a separate thread, but fitting within all of these.

[00:30:53] And I think privately, they certainly know and understand this. But I think bringing it all together coherently might be a good initiative because some of these things like UDI date back a decade. Other areas we've had updates like those on the software as a medical device off and on over the last three or four years. So getting them all on a common footing and helping to connect to the community to see how these are connected is really important. Because now we can start asking questions about that implantable defibrillator that's software enabled. That a patient goes to their attending cardiologist to have a checkup, potentially a recalibration of their device and evaluation, and arrive and have a Bluetooth or a Wi-Fi hookup to a controller and have that attending cardiologist recognize whoops there's a software upgrade or there's an issue around authentication or verification on the VPN that I'm relying on to make sure I've got current patches. We shouldn't find these things out sort of after the fact, much less have a machine learning algorithm that's supposed to be passed down to the patient population. We should be able to talk about all of these things in a coherent fashion. So that's where I would come down with the FDA.

[00:32:10] Well, I think that's a fantastic point to wrap things up here unfortunately as we ran out of time. But the idea of bringing it all together and the different entities and point solutions and capabilities out there, there's work to be done to just coordinate it all. I think that's wonderful advice for us to start looking at gluing it all together and starting to get some real value out of these different capabilities.

[00:32:31] I would like to thank my guests, Susan Ramonat, who is the CEO of Spiritus, for a wonderful discussion on asset management, distributed ledger, regulatory activity and much more, as you've heard. Susan, thank you so much for joining us. This has been great. A lot to take away and think about here for sure.

[00:32:46] Very pleased to have the opportunity, Brian. Thank you very much.

[00:32:56] Again, I would like to thank my guest, Susan Ramonat, for an enlightening conversation on the future technologies and processes that are coming together to solve some very complex challenges with asset management and healthcare. As always, we'd like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you'd like to hear about and any leaders you'd like to hear from. Our e-mail address is [email protected]. Thanks again for joining us for this episode of CyberPHIx, and we look forward to having you be with us for the next session coming up soon. Have a great day.