By K. Richard Douglas
Imagine you have an implanted pacemaker for a heart condition and a hacker takes control of the pacemaker and sets it to do whatever they want? Sound far-fetched? It’s not. It’s just one example of the seriousness of cybersecurity as it could potentially impact medical devices.
Cybersecurity news has featured headlines about hackers who have found their way into company networks, or government computers, but the threat of stealing proprietary information seems trivial compared to someone controlling another person’s very heartbeat. And how might these cyber bad guys wreak havoc on patients in a hospital via access to that hospital’s network? It’s one thing when ransomware requires a hospital to pay a large sum to cyber criminals, but it is quite another for these virtual thugs to injure or end the life of a vulnerable patient.
Hospitals in England can attest to the threat that incursions into a network can have. Many fell victim to a ransomware attack that arose from malware called WannaCry in May of this year.
Health Care Exposure
When targeting health care providers, hackers can create more serious problems than might be experienced by corporations or retail outlets. As already mentioned, the hackers can compromise the actual health and well-being of patients, in very perilous ways, in addition to inflicting monetary injury.
This requires firewalls to keep these digital pathogens out, identify those cyber risks that may have gained access to their systems, neutralize any incursions and identify the fallout.
“At present, we believe that the most pressing concern for health care facilities is a potential interruption to health care operations due to loss of access to data or systems,” says Juuso Leinonen, project officer in the Health Devices Group at ECRI Institute.
“This past year, we have seen several hospitals that were significantly impacted by ransomware or other malware. While some medical devices have a potential to be impacted, ECRI Institute has not received direct reports of patient harm due to ransomware in medical devices,” Leinonen adds.
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, CEO of Clearwater Compliance LLC in Nashville, Tennessee suggests that guarding against cyber threats requires inter-department cooperation.
“Team up,” Chaput suggests. “Ensure that your organization treats this matter as an enterprise-wide, business and patient risk management issue that should involve, but not be limited to, legal, risk management, finance, compliance, IT, clinical engineering, security, quality, operations,” he says.
He suggests that all those concerned should “adopt a risk- and asset-based risk management approach.”
“Remember cyber risk management is about your ‘assets’ and their exposures to a compromise of confidentiality, integrity or availability. It’s not about someone else’s controls checklist. The largest breaches in health care and retail, for example, have occurred at organizations that adopted such approaches,” Chaput says.
He adds that it is best to leverage three critical building blocks – organizations most successful at cyber risk management adopt an overarching framework (we recommend the NIST Cybersecurity Framework), implement a rigorous process (once again, we recommend the NIST information risk management approach documented in a series of NIST Special Publications, starting with NIST SP800-39) and adopt a “Deming/Continuous Process Improvement” mindset.
HIMSS lists three major areas of concern on its website; spear phishing and SQL injection, data breach and ransomware.
According to the HIMSS Cybersecurity Survey for 2017, and articulated in an article on their website (5 Takeaways from the 2017 HIMSS Cybersecurity Survey, Aug. 28, 2017) by Lee Kim, JD, CISSP, CIPP/US, FHIMSS, HIMSS North America director of privacy and security, there are five takeaways.
Among what was distilled from the survey results was that “Penetration testing is a good way to test one’s cybersecurity defenses, incident response plans, awareness training, policies and procedures.” Penetration test reports can hold significant value, as it will explain what gaps or deficiencies may exist and how to remedy them, according to Kim.
HIMSS also reports that “information security professionals at acute care providers are concerned about cloud security.”
Their findings also centered upon the connections created through other wireless technologies.
“Many acute providers have life-sustaining or life-saving medical devices. Considering that many of these are Bluetooth-enabled connected devices, medical device security and patient safety are very much intertwined – so much so that a potential compromise on a medical device may lead to an adverse event,” Kim says.
The HIMSS survey also pointed out the importance of cyber security considerations prior to the procurement of new medical technology.
“Eighty-eight percent of health care organizations with chief information security officers or other IT security leaders and 57 percent of health care organizations without such leaders are ensuring that cybersecurity due diligence is done during the pre-acquisition stage – i.e., prior to the implementation of the technology product and/or service at the organization,” Kim adds.
HTM’s Role
With the technology convergence of biomed and IT on many fronts, the role of the HTM professional in contributing toward cybersecurity defense is an important one.
“HTM should partner with IT and as much as possible to bring the medical device fleet into the enterprise security management plan. HTM can bring to the table specialty risk and operational information that can inform the IT network security plan,” says Scot Copeland, a medical device IT specialist in California.
He says that on their own, HTM can gain knowledge and training in IT networking and security and begin to gather the networking, vulnerability and privacy risk attributes associated with medical devices and maintain them in the CMMS.
To create that inventory of susceptible devices, Copeland says to seek out the cooperation of other departments.
“Begin with the medical device inventory in the CMMS and identify networked medical devices or stand-alone devices that contain or manage ePHI. Reach out and partner with other departments that may have been managing their own medical devices and begin to incorporate them into the CMMS (think pharmacy, lab, point of care testing, specialty imaging/radiation therapy or on-site contracted services). Reach out to departments that may have been developing and managing their own networks and document them in the CMMS,” he says.
“Network discovery tools, used by the IT department, may be useful in flushing out network devices that are part of medical device system but use caution when running discovery tools on a medical device network. Some medical devices are sensitive to scanning protocols and may react adversely,” Copeland adds.
The importance of having an accurate inventory, that is frequently updated, is echoed by Inhel Rekik, clinical engineering manager at Medstar Georgetown University Hospital in Washington, D.C.
“In addition, some additional data needs to be collected in the asset management system such as whether the medical device has a wireless or wired network connection in addition to the wireless protocol used such 802.11 a, b, g and n,” Rekik says. “Open ports and communications protocols could be added as well if data is available. Some additional network information such as device network ID, firmware version, software version, MAC address and underlying operating system need to be collected as well.”
She says that this data allows health care organizations to quickly identify affected devices when a vulnerability is known.
For the HTM department, Copeland suggests that scrutinizing each medical device or system and assessing its risk profile is a good first step.
“HTM should begin with a security/privacy risk assessment of their networked medical devices and their standalone medical devices that contain or manage ePHI,” Copeland says. “The health care delivery organization (HDO) should already have risk assessment methods and standards in place for security and privacy of IT network resources to address regulatory requirements. The HDO can consider applying those standards to the medical device/systems on the network or that contain ePHI, identify gaps and develop remediation plans, and/or modify the standards to include medical devices.”
There are tools that will allow a health system to bolster resources in combating cybersecurity. Copeland suggests a couple.
He says that there is a cottage industry developing in the market that in most cases combines network monitoring and discovery capabilities with vulnerability, threat and, in some cases, clinical risk information in an attempt to provide real-time risk analysis of the medical device fleet. [Note: HTM professionals can check out Verta Labs Blueflow, Asilimy and Zingbox IoT Guardian]
“Sometimes overlooked, the HDO’s enterprise IT security management tools can be applicable and effective in managing medical device security including vulnerability and discovery scanners, intrusion detection/prevention, firewalls, VLANs, SIEM, and behavior monitoring,” Copeland says.
Hazards and Vendor Questions
There is a degree of due diligence that is required prior to purchase. Copeland says vendors should be asked if they provide the HIMSS MDS2. Also, do they provide implementation guidance to ensure the most secure implementation in the HDO network?
“Are they aware of IEC 80001-2-6 guidance on vendor responsibility agreements and can they provide documentation useful in creating a security solution during installation? Do they have a Software Bill of Materials that outlines all of the computer off-the-shelf software, .dlls and libraries that make up the medical device software system?” Copeland asks.
“Risk assessment and risk management is an integral part of procurement and of the device lifecycle management. As the environment of the medical device changes, risks should be periodically re-evaluated,” says Rekik. “HTM departments need to add the cyber risk classification to the basic risk classification as high risk and non-high risk detailed in EC.02.04.01.”
John Rasmussen, MA, MBA, vice president and chief information security officer at MedStar Health in Columbia, Maryland says that a risk assessment includes evaluating the product upon procurement to determine if administrative, technical, or physical safeguards need to be put in place to mitigate the risks.
“Risk assessments will look at the technology being used, and its current vulnerabilities, as well as the type of data and operational use of the equipment. A risk assessment will ask about patching, password management, local data storage, Internet connectivity, device interoperability, remote support, etcetera,” Rasmussen says.
Rasmussen agrees that an important part of the risk assessment will be the Manufacturer’s Disclosure Statement of Medical Device Security (MDS2), “which should be provided to Clinical Engineering prior to procurement,” he says. “The Medical Device Innovation, Safety and Security Consortium can provide health care organizations with a good starting point of the medical device cyber risk and answers the MDS2 form questions.”
“The risk assessment should also include scanning the device for vulnerabilities and open ports prior to deploying the medical device. Vulnerability scanning should be done periodically within the environment to assess new risks; however, care should be taken to ensure vulnerability scanning is not done when the device is being actively used for care,” Rasmussen adds.
Simple and common storage technologies have introduced other means for cyber threats to be introduced into the health care network or a device. Thumb drives are a prime example. HTM can help do their part in mitigating this risk.
“Ensure the HDO has a policy for use of removable media and propagate it down to the medical device fleet if possible. Policies not able to be enforced or managed via group policies (i.e. Active Directory) may be enforced via workflow policies. USB port blocking plugs can be used as a backup physical control,” Copeland says.
Best Practices
Copeland suggests a few sources to determine best practices.
“ANSI/AAMI/IEC 80001-2 Application of risk management for IT networks incorporating medical devices covers wireless, distributed alarms systems, security controls, vendor responsibility agreements and more,” he says. “Medical devices share some of the same vulnerabilities and constraints with regards to network security as Industrial Control Systems (ICS). Some insight may be gained from NIST SP 800-82 Guide to ICS Security.” Also, AAMI TIR 57 Principles for Medical Device Security-Risk Management is an informative tool.
He also suggests the online resource: The Healthcare Sector Cybersecurity Framework Implementation Guide available at https://goo.gl/kdc3X7.
As mentioned earlier, there are partnerships that must be formed within health care systems to combat cyberthreats. The skills of many different departments will be required as new threats become more sophisticated and take more circuitous routes.
“In order to effectively deal with emerging cybersecurity threats, a collaboration between HTM, IT and Information Security departments is highly recommended. This collaboration should address security concerns during any future medical device purchases, incident response, and with ongoing risk management efforts,” Leinonen says.
With the insights provided by experts and established frameworks, along with a thorough updated inventory and cross-collaboration with other stakeholders, the HTM department can do its part to protect patients and their employer’s brand. As long as there are resourceful criminals, the challenge to protect entrusted information will be ongoing.
1 Comment
Pingback: Article: Cybersecurity: What Every HTM Pro Should Know | AIMS by Phoenix Data Systems