How HTM departments can up the cybersecurity ante to keep devices running and patients safe
By C.A. Wolski
In today’s highly digitized, networked, connected world, cyberattacks have, unfortunately, become a common occurrence—with banks, retail companies, entertainment conglomerates, and even individuals falling victim to malicious hackers and ransomware pirates.
The global cyberattack, WannaCry, exposed an even more troubling potential target: healthcare. The May 2017 attack crippled computers all over the world through a vulnerability in the Microsoft Windows XP and 7 operating system. Although Microsoft quickly released a Windows XP patch in response to WannaCry, hundreds of thousands of devices remained open to attack. This included the U.K.’s National Health Service (NHS), which didn’t patch their computers or devices running Windows 7, resulting in the disabling of more than 70,000 medical devices and computers—and effectively shutting down 80 hospitals throughout the NHS health system.
While this may seem like an extreme, worst-case scenario, WannaCry should serve as a wake up call for HTM departments throughout the U.S. and beyond. The good news is that there are steps HTM departments and healthcare enterprises can take now to minimize risk and stop an attack in its tracks.
Risk in a Connected World
Today’s medical devices are no longer discrete, standalone instruments used by clinicians to monitor and treat patients. They are, for all intents and purposes, a species of the computer, which are tightly integrated via hospital networks and exchange data with other devices and systems.
“Everything is getting more connected, and healthcare is no different,” says Leon Lerman, CEO of Cynerio, which focuses on providing cybersecurity solutions to healthcare facilities. “IV pumps, ventilators, blood gas monitors are connected to computers or the Internet. That’s good for clinicians. They’re getting more data, and patients are having a better experience. The challenge is that advances in security are getting left behind.”
There are a number of attack types, but the biggest threats from cybercriminals for healthcare enterprises are service disruptions—e.g., Wannacry and the NHS—and theft of patient data, including sensitive health data (which could be used for blackmail or could be changed, affecting patient treatment and overall health); financial data; and research data.
While device security is crucial to protect this data, there also needs to be a fundamental shift in the way healthcare organizations approach it, according to Axel Wirth, distinguished healthcare architect at Symantec. “What we’ve paid attention to for the past 10 years is HIPAA,” he says.
“Security was related to HIPAA, with a very strong focus on patient confidentiality. Confidentiality is important, but what we learned with WannaCry and similar ransomware attacks is that cyber-attacks impact data availability and, therefore, care delivery. And, we are starting to understand the risks associated with data integrity, we haven’t gone there, but we must start to include these scenarios in our planning.”
Lerman, for his part, notes that beyond issues of patient safety and confidentiality, organizations could also find themselves on the receiving end of significant fines from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA compliance. “If the breach is big enough, the organization could find itself on the OCR’s ‘Wall of Shame’ [which is posted on the internet],” he says. This could have significant reputational impact on the organization, which could affect the ability of the organization to provide care and remain viable.
There are a number of factors complicating data integrity. Chief among them is that, unlike a traditional computer network, medical devices are heterogeneous, meaning that they may be using a variety of operating systems—each with inherent strengths and weaknesses. This makes them ideal vectors for attack.
“Hackers may not necessarily be targeting medical devices; it’s likely they’re simply looking for a point of entry,” explains Ross Leder, principal of Crew Clinical, a healthcare technology management company, headquartered in Denver. “Historically, medical devices have not been viewed as a vulnerability.”
As Wirth notes, medical devices provide an easy entry point, and the devices are often inaccessible for IT security, making them difficult to secure ortospot a potential attack.
“Unlike other critical IT assets, connected medical devices are hardly visible in their native IT control systems,” says Jon Rabinowitz, VP of marketing for CyberMDX, a healthcare cybersecurity provider. “The IT teams often cannot even tell how many medical devices are connected, [as well as] their type—and they lack critical insight of the devices’ cybersecurity risk status, threats, and vulnerabilities.”
Even more shocking, most hospitals lack the visibility to know whether medical devices have even been hacked. As devices introduce a wide range of operating systems and communication protocols—current cybersecurity solutions do not fully understand these devices or their protocols —they’re left in the shadows from a visibility and security perspective. “This allows hackers to establish a “beachhead and lay low,” if they’re spotted, according to Wirth.
And the numbers bear out this cause for concern. According to data from CyberMDX, hospitals, on average, have lost track of 30% of their networked medical devices; and, in total, about 61% of all medical devices are at risk for a cyberattack. And with an average hospital bed having about 10 to 15 connected devices, again according to CyberMDX data—the potential for real patient harm is high and likely growing as more devices are networked.
Cynerio’s Lerman says large hospitals in the United States sometimes have more than 100,000 connected devices, and one hurdle that HTM departments attempting to up their security responses may face could surprise some—medical device manufacturers. “Unfortunately, old operating systems and old communication protocols don’t support encryption and authentication,” says Lerman. “And hospitals can’t touch the devices and add anti-virus programs, because they may void the warranty.”
Taking Practical Steps
While the challenges may seem daunting, there are several practical steps HTM departments can take to improve the security of their medical devices. To start, HTM departments should do a comprehensive inventory of every piece of equipment, including all of their security-relevant attributes.
“This way you can see what devices can be affected,” says Leder of Crew Clinical. Visibility is also important. HTM departments should work with IT to make sure that the medical devices are visible on the network, to avoid the potentiality for a beachhead to be created.
After all, says Lerman of Cynerio, “You can’t protect what you can’t see.” With a complete inventory and improved visibility, you can then assess risk.
“Risk analysis should be ongoing and automatic, keeping pace—or one step ahead—as threats evolve and vulnerabilities are frequently discovered,” explains Rabinowitz of CyberMDX. “Risk analysis should provide actionable and prioritized remediation recommendations—granular risk profiling, both at the individual device level and as an overview of risk across the entire [Internet of Medical Things] fleet.” He says it’s also imperative that the data is integrated with the other workflow management systems the hospital is deploying.
Moreover, risk monitoring should become an ongoing priority, the experts consulted here agree. Again, much of this will be automated, but once an anomaly is detected, then the IT or HTM department can react and respond to the threat. Because, as Lerman notes, HTM departments can’t add anti-virus programs to the devices, response will be limited and dependent on third-party tools, such as firewalls housed in the network, which will help to segment the potentially affected devices.
While this is a solid strategy underpinning device integrity, there are day-to-day actions HTM and IT departments can take to better guarantee that there is a strong defense in place, the experts say. For example, it’s not uncommon for healthcare enterprises to have back-up or redundant systems in the case of a catastrophic event, including a debilitating hack of the system. Leder says that it’s not enough to have the back-up in place. It should be tested regularly to make sure it is ready to use via regular drills and flipping between the primary and back-up systems.
Both Leder and Symantec’s Wirth recommend creating segregated networks, with priority given to critical-care devices. For example, if an organization has a single MRI, it may be more important to protect that single device than if the organization has three, since if one becomes compromised, then the other two can continue to operate. That being said, it is crucial that multiple, critical devices, such as the MRI suites, stay segmented, the experts say. After all, if one machine becomes infected, it could take the other two down and significantly impact patient care.
Leder adds that using industry best practices, such as those suggested in the U.S. Department of Health and Human Services’ Health Industry Cyber Security Practices (HICP) guidelines, can help secure devices. Even so, he is quick to point out that identity and access management protocols should extend to device vendors and be rigorously enforced.
“Suppliers often stipulate the use of remote support tools like VPN,” Leder says, “but without a shared and federated approach to identity and access controls, these tunnels amount to a massive blind spot that ultimately impairs the visibility of the organization’s network to detect attacks.”
Perhaps one of the biggest variables that healthcare enterprises must address is the employees who are using their systems. Wirth says that user training is a key component to computer network security. For example, because many workstations have regular computer capabilities, clinical users may check their e-mail or social media accounts, which could open the door for a hacker looking for easy pickings.
In this case, a policy should be implemented that prohibits the checking of e-mail or other potentially risky behaviors. Other policies should address end-of-life management of a device, such as any data or credentials stored on it, whether it’s destined for recycling or resale.
Approaching risk with a bit of cynicism can help keep security top of mind and strengthen the protocols needed to avoid and minimize any potential attacks. In other words, develop a “when,” not “if,” mindset. Wirth’s advice to healthcare enterprises regarding cybersecurity is straightforward, but gets to the heart of the matter: “Proceed with urgency, but don’t panic.”
The Future of Cybersecurity and Healthcare
If there’s one thing that’s certain about medical device cybersecurity, it’s that the threat is here to stay. And, as a corollary, HTM departments and the entire healthcare enterprise will have to evolve to meet it. In the near term, Wirth says that organizational leadership needs to understand the risk, and, more importantly, how a hack could affect patient safety, care delivery, and the business.
Clinicians are typically involved in buying decisions for connected medical devices, but nowadays the question, “Is the device secure enough?” also needs to be top of mind. Day-to-day clinical users and decision makers need to be aware of the potential for a data breach or hack. Finally, Wirth recommends doing business with vendors who have a security stake in the ground.
But beyond the near term, the experts predict that the role of HTM departments and biomeds may change, seeing them merging or coming under the auspices of the IT or IT security department reporting up to the CIO. “I believe that HTM, IT, and IS departments are beginning to collide and will result in new positions that some best-in-class hospitals are already adopting,” says CyberMDX’s Rabinowitz. “These include new titles such as ‘cyber specialist,’ and ‘director of security review.’”
Lerman of Cynerio sees that, increasingly, organizations understand the extent of the risk and are taking actions to meet it. “We can’t disconnect the devices—instead we need to meet the threat while maintaining business continuity,” he says. “We now have specific solutions to go deeper and identify the problems and the risk. We’re raising the bar for the hackers.”
Rabinowitz, for his part, sees another technological shift for HTM, IT, and even clinical departments. “Forced digitalization is leading to a plethora of security oversights and challenges, and this will only continue to grow,” he says. “The siloed approach to security that was often taken by healthcare organizations will be obsolete within five years.”
Whatever the case, HTM departments, by necessity, will be major players in the quest to keep medical devices up and running—and risk-free.
C.A. Wolski is a contributing writer for 24×7 Magazine. Questions and comments can be directed to [email protected].
Devices as entry point is a different question than devices as primary target. But are there any actual examples of either, with actual meaning it has occurred as opposed to a vulnerability.