Healthcare Cybersecurity and the Role of Your CMMS: How the Right System Can Reduce Risk

More than 90% of hospitals and healthcare organizations faced a cybersecurity attack in 2024. While many of these attacks focus on systems related to patient data, they typically extend across departments and technologies. Maintenance and asset management, for instance, are identified as areas that continue to drive risk for future healthcare cybersecurity attacks. From reliance on legacy systems to a large number of connected devices, focusing on how to mitigate cybersecurity risk becomes important for hospital and healthcare leaders.

For healthcare facilities management (HFM) and healthcare technology management (HTM) teams, increased risk for assets, systems, and processes strains already resource-constrained teams. Using a computerized maintenance management system (CMMS) to house all data can help mitigate risk, while providing insight into what’s happening across assets and maintenance requests.

To effectively manage healthcare cybersecurity risks in your CMMS, there are several considerations – and to know which functionality will help keep data secure while making it accessible for those who need it.

Building the Foundations to Prevent Healthcare Cybersecurity Risk

When it comes to preventing cybersecurity risk within HFM and HTM, it starts by looking at your core systems.

“Significant risk stems from the large interconnected systems that hospitals and healthcare organizations are using today,” said Allan Snippen, Vice President of Technology, FSI. “For both HFM and HTM teams, they are at risk of attacks targeting these essential operational systems and assets.”

HFM faces security vulnerabilities with its building automation systems, access control, and other network-connected infrastructure. Two key risks for healthcare facilities include:

• Ransomware, or software that will block access to applications or files
• Phishing, which fraudulently sends emails or communication to get access to systems

Many organizations are pairing together legacy systems that have outdated firmware – increasing the risk of a cybersecurity attack. As HFM teams look at the foundations of building a risk mitigation plan for cyber attacks; it starts with evaluating the existing software and systems in place that share data digitally and could be targeted with an attack. In doing so, it can identify key areas of focus and improvement.

On the other hand, HTM faces significant risk because medical devices are highly connected and may intersect with sensitive patient information, requiring stronger oversight. To build the foundations of a solid risk management framework, hospitals and healthcare organizations must first start with a complete inventory of all assets. A thorough data collection/validation provides insight into critical gaps that can lead to a higher risk, which can help provide insight into where to focus and how to prioritize risk mitigation strategies. 

Teams may rely on external vulnerability tools to surface alerts for any cybersecurity risks. However, when alerts are not tied to a system of record – like the CMMS – it can create gaps in transparency. Relying on a healthcare-specific CMMS ensures simplified integrations with cybersecurity and device monitoring platforms. As a result, alerts can automatically become actionable work orders, helping to address the problem faster. In addition, the additional work order layer provides transparency into remediation tasks and tracks activity for compliance reporting. 

Choosing a CMMS that Aligns with Cybersecurity Goals

In evaluating a CMMS that helps you manage your cyber security risk, there are a few core features that specifically benefit HFM and HTM teams. 

• Asset inventory, with the option to track details related to your assets, including important manufacturer and warranty information
• Risk documentation and assessment to inform ongoing risk mitigation strategies
• Seamless integrations with cybersecurity providers
• Reporting and data analytics for cybersecurity risk mitigation and regulatory and compliance requirements

Continuing to advance cybersecurity functionality continues to be a focus for many vendors, FSI included. At FSI, the product team continues to work towards having cybersecurity and risk insights embedded directly into CMMS workflows rather than relying solely on third-party alerts. 

“It is our goal to unify signals from cybersecurity platforms, regulatory bodies, and recall sources like ECRI and the FDA,” said Shawn Hewitt, Sr. Product Manager, FSI. “In doing so, we can turn them into prioritized, technician-ready work orders to provide stronger guidance across the full asset lifecycle.”

It’s important to note that true security in your CMMS extends beyond product features. This includes formal compliance programs as foundational requirements, but also looking at specific certifications for the vendor to understand how they manage, mitigate, and report on security risks. These requirements and certifications include: 

• SOC 2 Type II, which verifies that the organization has maintained controls related to security, availability, processing integrity, confidentiality, and/or privacy
• HIPAA requirements, which mandates specific standards for protecting sensitive patient health information

“With a purpose-built CMMS for healthcare, we’ve consistently focused on higher security standards because we understand the sensitivity for healthcare data, including non-patient records like hospital floor plans,” said Derek Smith, Director of Technology, FSI. “Because of this, we follow a higher standard than required; which includes SOC 2 Type II and HIPAA.” 

Implementing an Effective Healthcare Cybersecurity Strategy Today 

Every step in building and executing a cybersecurity strategy can help mitigate risk. There are maintenance and asset management best practices that translate into risk mitigation for security issues. 

Shifting from reactive fixes to scheduled preventive controls can help mitigate risk with more proactive monitoring of device status and vulnerabilities. In addition to moving to preventive and predictive maintenance strategies, other operational improvements include:

• Tracking status and exceptions for firmware on connected devices
• Treating cybersecurity alerts like a maintenance request with a response process and framework
• Creating a proactive strategy to identify gaps and mitigate risk prior to receiving external notices where possible

When it comes to identifying and mitigating healthcare cybersecurity risks, HFM and HTM teams don't have to work alone. The organization's IT department should be well versed in cybersecurity protocols and prevention methods. Because of their expertise, HFM and HTM teams can collaborate deeply with the IT department to build the right frameworks, processes, and plans to mitigate risk. 

In working with IT on cybersecurity, some best practices include: 

• Define which equipment will be tracked in each system
• Align on a single source of truth
• Identify protocol for receiving, sharing, and resolving alerts
• Create a cadence for HTM, HFM, and IT teams to meet and share information
• Determine a security review cadence for new and existing technologies

“Working in sync with cybersecurity leaders can ensure that best practices are aligned with data controls and governance strategies,” continued Snippen. “Large-scale data attacks and breaches have demonstrated how quickly threats can escalate, and the value of proactively building a risk mitigation strategy.”

In addition to collaborating with internal teams, having the right software in place – like FSI’s CMMS – can result in a plan that can be executed via key functionality and workflow automations. In turn, hospitals and healthcare organizations can transform maintenance and asset management into a core foundation for better cybersecurity practices.

Interested in learning more about healthcare cybersecurity and your CMMS? Connect with the FSI team to learn more.