IT Governance Framework for the Internet of Medical Things in the Healthcare Industry

Zachary Roemer, Robert Sumerauer, Emma Sundquist, Dr. Jeffrey Merhout

abstract

This project analyzes the risks of the Internet of Medical Things (IoMT) systems and develops an IT governance framework corresponding to these risks. By following this framework, healthcare organizations will be able to provide patients with access to the latest advances in IoMT technology whilst minimizing patient and organizational risks. The framework ensures that patient safety and privacy are key governance focuses alongside hospital operations. From those, we identified a series of resultant risks which include: authentication, authorization, system availability, management complexities, data integrity, and data movement. Our research generated a framework with five sections: Data Integrity & Movement, Management Complexity, Privacy, Authentication and Authorization, and Availability. These categories then have controls adapted from other IT Governance frameworks, each organized under where they apply best. This new framework provides those in the healthcare industry with an outline for successful implementation and management of IoMT systems in their organization.

Introduction

Internet of Medical Things (IoMT) systems have become an increasingly large risk to healthcare organizations

IoMT device and system failure due to a lack of proper IT governance controls can lead to adverse outcomes for patients, including death

IoMT has increasingly spread from externally attached devices used exclusively in clinical settings to being widespread consumer goods

Objective: Develop an IT governance framework that healthcare organizations can adopt and adapt it to their needs in order to create a effective and favorable risk profile

IT Governance Definition (for IoMT)

“The decision rights and accountability framework” (Gregory et al., 2018) that creates a “fusion of business and IT” (Van Grembergen, 2002) with involvement from senior management and the board of directors to align IT and business strategy to create a favorable risk profile for the organization and to “encourage desirable IT behavior” (Weill & Ross, 2004).

Risks

A circle with Privacy & Patient Safety in the center surrounded by Availability, Authentication & Authorization, Data Integrity & Movement, and Management Complexity. Image explained in the following risk paragraph.

Core Risks

Privacy - Protection of patient's personal health information
Patient Safety - An attribute and result of properly implemented regulatory and testing processes that ensure that IoMT systems do not harm those who interact with them

Resultant Risks

Authentication & Authorization - Healthcare organizations ensure that IT and business leaders track system access and prevent access to non-needed systems, while ensuring employees have the necessary access for work.
Data Integrity & Movement - Lack of IoMT system standardization opens up many attack vectors for both moving and stored data
Availability - IoMT serves in many mission-critical use cases where any amount of downtime is unacceptable and possibly life threatening
Management Complexity - Proprietary of IoMT systems creates high training needs and over reliance on vendors

Framework

Privacy

NIST Identify ID.GV.3 - Legal and Regulatory Requirements: Organizations are made aware of legal and government requirements that they are required to be in compliance with (Barrett, 2018)
MEA03 - Managed Compliance with External Requirements: Identification of external compliance requirements to ensure compliance throughout the IT processes (COBIT, 2018)

Authentication & Authorization

CIS06 - Access Control Management: Users only have access to the data appropriate to their roles (Center for Information Security, 2021)
CIS 05 - Account Management: Guide for account creation, maintenance and security (Center for Internet Security, 2021)
NIST CSWP PR.AC-7: Authentication controls are commensurate with the risk of the action within the system (Barrett, 2018)

Data Integrity & Movement

HITrust CSF 13.06 - Data Quality and Integrity: Data is processed accurately, completely and is up-to-date (HITrust, 2023)
CIS03 - Data Protection: Supports the procedures and exercises relating to the organization of data (Center for Internet Security, 2021)
BAI08 - Managed Knowledge: Information is accurate and up-to-date and management systems support the decision making related to management (COBIT, 2018)

Availability

DSS04 - Managed Continuity: Plan so incident response is implemented quickly to limit disruptions and hasten recovery (COBIT, 2018)
AICPA Trust Principles - Availability: Robust framework for service continuity with external vendors (AICPA, 2022)

Management Complexity

APO07 - Managed Human Resources: Systematic method to optimize the recruitment, planning, assessment, and development of both internal and external human resources (COBIT, 2018)
APO10 - Managed Vendors: Helps manage 3rd-party systems implemented to meet enterprise requirements (COBIT, 2018)
EDM05 - Ensured Stakeholder Engagement: Guarantees that key stakeholders are identified and engaged in IT governance processes (COBIT, 2018)
DSS01 - Managed Operations: Managing I&T services, internal and outsourced, to ensure that they meet organizational requirements for reliability, efficiency, and quality (COBIT, 2018)

Conclusion/Future Research

IoMT is growing rapidly and without regard for healthcare organizations IT systems and managerial constraints
This framework provides a foundation for IT governance of IoMT for healthcare organizations
Future Research could expand upon
- Practical implementation of the framework and organizational results
- How biometric identification could be used within IoMT systems to potentially enhance patient privacy
- Patient understanding of IoMT usage in their care

References

AICPA. (2022). 2017 Trust Services Criteria for Security, Availability, Processing, Integrity, Confidentiality, and Privacy (with Revised Points of Focus - 2022). AICPA.

Barrett, M. (2018). Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, NIST Cybersecurity Framework

CIS Center for Internet Security. (2021). CIS Critical Security Controls Version 8. CIS Center for Internet Security.

COBIT. (2018). COBIT® 2019 Framework: Governance and Management Objectives, ISACA, Schaumburg, IL.

Gregory, R., Kaganer, E., Henfridsson, O., Ruch, T. (2018). IT Consumerization and the Transformation of IT Governance. MIS Quarterly Vol. 42 No. 4, pp.1225-1253.

HITrust. (2023). HITrust CSF PDF v11.2.0. HITrust.

Van Grembergen, W. (2002). Introduction to the Minitrack “IT governance and its mechanisms.” Proceedings of the 35th Annual Hawaii International Conference on System Sciences, 3097–3097.

Weill, P., & Ross, J. W. (2004). IT Governance on One page. SSRN Electronic Journal.

Appendix

NACE Competencies for a Career-Ready Workforce

The following NACE competencies were developed by us engaging in this research project:

Technology
Teamwork
Critical Thinking
Communication

Page updated

Report abuse