By Connor Walsh, CISSP
About 30 minutes into a shift, an emergency work order is entered because the facility GI PACS is down. The primary and secondary biomedical equipment support specialists (BESS) for this system are out on leave, so another BESS with limited knowledge calls the vendor support line. They can connect, and the vendor asks the BESS to login to the server. They head to the login screen but realize they don’t have the credentials to login, and frantically begin searching through department shared files for the password to no avail. By this point, an hour has gone by, and the facility has started cancelling appointments. Does this story sound familiar?
Baselining is the concept of establishing a minimum-security profile for your medical systems, per operating system, unique to your facility. The concept is that all systems will be configured in a similar fashion, so that they are all accessible/available and secure in similar ways. It is often a checklist that is followed during initial system configuration and can help streamline troubleshooting later down the line. If able, this baselining is usually completed prior to any vendor software install, so that when a vendor first accesses the server/workstation, your minimum baseline has already been applied.
To begin your baseline policy or procedure, you need to identify which components of the medical system configuration you want to standardize. Department local admin credentials are a great starting point and, as was failed in the example above, anyone in your department will have access to a system to troubleshoot. Continuing this example, and assuming we are looking at developing a Windows 10 baseline, additional tasks include standardizing patch frequency, Windows Defender, Bitlocker, domain join (if applicable to your environment), remote desktop enablement and detailed documentation (such as device name, location, MAC address, inventory tag, serial number and manufacturer/model). Obviously, some of this is dependent on medical device manufacturer approval, but it should be discussed during product evaluations to try to procure devices that meet your developed baseline.
Due to the nature of medical devices, not everything is going to be able to meet your baseline, and that is OK. You are performing adequate due diligence and due care to configure these systems to as close to your baseline as you can. Keeping track of these one-off systems will also improve visibility of vulnerable devices in your environment. On some of these systems, you may even decide to enforce additional controls to mitigate the risk even further. These are decisions that you will be able to make as the result of a proper baseline policy.
If you are annoyed with having several medical systems deployed at your facility in several different ways, a baseline will help fix that. It leads to improved overall cybersecurity, as well as improve turnaround time for troubleshooting. It also helps provide additional questions to ask medical device manufacturers during product evaluations, and help you make informed decisions on what new risks you want to accept. Overall, it is a very beneficial tool that will be a big process improvement to your HTM department.
Connor Walsh, CISSP, is a biomedical engineer for the Department of Veterans Affairs.
The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.
