By Joe E. Fishel
The Punxsutawney groundhog comes out of its burrow on February 2nd every year. If it sees its shadow we have six more weeks of winter. If it doesn’t see it’s shadow, spring will arrive early. After its forecast, the groundhog returns to its burrow and life goes on. Many HTM staff are treating cybersecurity the same way. I have heard some say that we never had to do this before, or I have two years to retirement why do I need to learn this? This, unfortunately, is HTM’s future. It’s not going away.
Biomedical cybersecurity is a bit different from the IS side of the house. Many of our devices are six years old or older from an operating system standpoint. The older systems are more vulnerable to being hacked. A $3 million linear accelerator isn’t something you just up and replace because it uses Microsoft XP. You need to come up with a way to protect it until management can replace it. In this series, I hope to give you some ideas and solutions. Every network is different, so some things may work for you and some may not.
A new operating system seems to come out every three years. With the product development cycle and the FDA approval process being what it is, by the time a device hits the market a new operating system has already hit the market. The medical equipment manufacturer is always behind the curve. Cybersecurity is going to be an ongoing endeavor. We need to come up with a tactical plan as well as a strategic plan. A tactical plan includes tasks that can be accomplished in the next 12 to 18 months. Some of this can also be preparing for a strategic plan. Strategic planning is where we want things to be in 3 to 5 years and it may require incorporating some changes that will strengthen your program.
To prepare for developing a plan, talking to your IT/IS department is very important. You need to find out what they can and can’t do currently. What tools do they currently have for vulnerability testing? Can they create Access Control Lists (ACLs)? This is similar to parental controls on a TV. It restricts what the device can talk to and who can talk to it. Tactically, for a short term, applying ACLs on the edge routers to the site can prevent access to the Internet or restrict access from the Internet to query your network. These are routers where your traffic comes into and goes out of your building. This is often referred to as north/south protection. Very often staff are using imaging workstations and because they can access the Internet they will check their email. This allows access into your site. By restricting Google, Yahoo, Hotmail, and only allowing the device to access the manufacturer’s or vendor’s site you cut back on vulnerability. Many hospitals require staff to sign an acknowledgement that they won’t use hospital computers in this manner not realizing this includes medical devices. You may want to look at your policies and update them.
This discussion with IT is important for your tactical plan as well for discussing changes they are planning and what standards will be changing. Examples of this could be that they are moving to a different network in the future? They may want to require a higher level of root certificate authentication to connect to the network. Are they planning on going from a SHA1 to SHA2 root certificate for authentication on the network? SHA-1 or SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the National Security Agency (NSA). Cryptographic hash functions are mathematical operations run on digital data; by comparing the computed “hash” (the output from execution of the algorithm) to a known and expected hash value, a person can determine the data’s integrity. SHA-1 uses 128 characters and SHA-2 uses 256 characters.
Finding out what is coming down the road is very important so that you can start preparing – even if it is identifying what isn’t SHA-2. The questions you need to be asking are what requirements will be changing? What is new? How will these changes affect how medical equipment gets on the network? Will it be able to continue in the future? Network cards that work fine now may not be able to connect to the network in the future should a higher root certificate be incorporated into the connecting process.
Tactical decisions can help set up a program from a strategic standpoint. Gathering additional information and creating fields in your inventory will help identify vulnerabilities in the future. I will go into that later, but having an accurate inventory is critical. Without an accurate inventory, you don’t know what you have or where it’s located when a vulnerability comes along.
Joseph E. Fishel, CBET, MBA, is a Healthcare Technology Systems Manager for Sutter Health eQuip Services.
