By K. Richard Douglas
If the Wi-Fi went out in many homes, it would cause more than the computer going offline. It may mean that the front door would not unlock electronically, the thermostat might not maintain the correct temperature or the security cameras might show a blank screen.
Times have changed and the Wi-Fi used for home wireless devices on a network means that more than the laptop, tablet and network printer are not functioning; it could mean much more. As the Internet of Things grows, it connects everything from the washing machine to the front door, the refrigerator to the lights.
This interconnection of things in the home has come to be known as a smart home. If the Internet connection is broken, or the power is out, the “smart home” becomes a not-so-smart home. The additional capabilities afforded by remote surveillance or the easy unlocking of the front door or remote climate control are negated.
These inconveniences are trivial when compared to what could happen in a hospital if connected devices are compromised by a rogue invader intent on hijacking patient information, interfering with the functioning of medical devices or holding a hospital’s data hostage.
It was that type of attack on health care facilities that caused a stepped-up effort in confronting a cryptoworm like WannaCry or the SamSam malware, both of which impacted the health care sector.
Points of entry for these incursions include third-party websites, email, compromised medical devices, infected software or hardware or a service or provider linked to a network through the cloud, according to a HIMSS Cybersecurity Survey.
These attacks, and the threat of new and even more sophisticated cyber attacks, were a wake-up call to the industry and health care organizations. In the last two or three years, there has been a seismic shift in prevention, mitigation and device design.
Our Connected World
Devices across the spectrum are connected to routers in homes and the workplace. All of these networked devices are potential targets for cybercriminals and hackers. In a report provided by Declan Bradshaw with Babel PR Limited, the enormity of the problem in health care is exposed.
“Use of the Internet of Things (IoT) is booming, with IHS Markit forecasting there will be 73 billion connected devices in use around the world by 2025. IoT technology has moved beyond speakers and smart fridges and is increasingly being utilized for critical applications across the health care industry like insulin delivery devices, connected inhalers and even cancer treatments,” according to a report by digital platform security specialist Irdeto, located in the Netherlands.
Irdeto software and cyberservices already protect over 5 billion devices and applications and protects platforms and applications for video entertainment, video games, connected transport and IoT connected industries.
The report says that the health care sector is severely lacking the resources to tackle a growing cybersecurity threat. Patient safety could be at risk.
“The company’s latest research – which surveyed security decision makers at global health care organizations to gauge perceptions of IoT security – found that 82% of health care organizations experienced an IoT-focused cyber attack in the last 12 months; nearly a third of those hit reported compromised end-user safety as a result,” the report states.
The report also revealed that only six percent of health care organizations have everything they need to tackle IoT cybersecurity challenges, with an urgent requirement for increased skills and more budget for security identified.
“IoT devices are often targeted by cybercriminals as they are much easier to compromise than businesses’ more sophisticated perimeter cyber defenses. The problem is that growth in the use of IoT has far outstripped the increase in trained professionals emerging. As a result, health care organizations often don’t have the expertise internally to ensure the connected devices they are using within their organizations are secure,” the report claims.
Findings from the report revealed that 90 percent of those hit by IoT-focused cyberattacks experienced an impact, the most common of which was operational downtime (43 percent). Also noticeable is that 30 percent of attacks compromised end-user safety.
Also, 96 percent believe their organization has some form of cybersecurity vulnerability, with 42 percent identifying IoT devices as the biggest threat and a quarter of health care organizations identifying their greatest cybersecurity weakness as their own employees.
The report states that 98 percent of all health care organizations believe the cybersecurity of IoT devices could be improved. More than one in four manufacturers of IoT devices for health care only update the security of devices they manufacture while they are in warranty. One in five leave it to the customer to install updates.
“IoT cyberattacks will continue to be prevalent as use of IoT devices grows. However, as they are increasingly used in mission-critical scenarios in industries like health care, the impact of operational downtime and compromises to end-user safety become far greater than just a financial cost,” says Steeve Huin, vice president of strategic partnerships, business development and marketing at Irdeto.
“Securing each and every potential ‘entry point’ is critical to ensure the integrity of a business’ network as a whole. Manufacturers have a greater responsibility when dealing with potentially critical IoT in health care, and thus need to move away from the traditional ‘build, ship and forget’ mindset and incorporate multiple layers of security into the devices they manufacture,” Huin adds.
He says that the consequences of failing to properly secure health care IoT devices are real, and need to be taken seriously.
HTM’s Role
When it comes to HTM’s involvement in the cybersecurity puzzle, the need for vigilance and knowledge is important. Consulting with the IT team is one of the first steps.
“First and foremost, get with your IT security folks to determine what cybersecurity framework your organization uses,” says David Yaeger, biomed security data base analyst, HTM and biomedical engineering for ProHealth Care in Waukesha, Wisconsin.
“Having an accurate CMMS is essential to assist in how fast mitigation can happen if a vulnerability is identified. There are third-party applications available for purchase that can identify, categorize and monitor, using AI capabilities, of medical and other IoT devices to get a better understanding of what is on your network and what these devices are talking with. It can, if desired, connect to your CMMS and update identified fields as requested,” Yaeger says.
“In the end, it comes down to a solid ‘defense in depth’ approach with multiple security control points across an enterprise, combined with meaningful end user security training,” says Axel Wirth, chief security strategist at MedCrypt.
Wirth says that one trend that has evolved over the past few years is that of “security orchestration,” meaning that the various security tools across the enterprise work together in an automated fashion.
“A security breach may not be reliably detectable at a single point, but if for example your email security system can share information with the endpoint product one cannot only detect more reliably, but also much earlier and with fewer false positives. Or, if a security incident is detected on one system, it is important to understand the preceding events and to see if similar events can be detected on other systems so they can be addressed before the device is compromised,” Wirth says.
Some suggested steps from Yaeger include: Network segmentation via ACLs, penetration testing on a regular basis, phishing email testing on a regular basis, yearly cyber training via CBLs and planting spoof workstations on the network seeking out hackers.
With the safeguards that manufacturers are including with devices, and the work of IT to monitor the network, what role does HTM play to protect their facility from hacking, ransomware and other dangers?
“Simply put, HTM’s responsibility should be to help build a more secure medical device infrastructure. Security considerations are now part of every step, this begins with the procurement and contracting process and continues over device incoming inspection (and potentially incoming testing), secure device handling and operation, all the way to device end of life and secure disposal (or return),” Wirth says.
He says that HTM professionals need to understand the potential impact of insecure devices on patient safety, privacy, delivery of care and security posture. A medical device-specific security risk management program is key and should span the entire life cycle of the device, but also should include all internal and external stakeholders including clinical engineering, IT and IT security, clinical representatives, executive management and the manufacturer.
“Besides protecting devices, HTMs are also users of IT and IT services, meaning they need to be vigilant when using email or web services on the hospital network. Any malicious link or compromised website is a risk to the larger organization and we all need to be security conscious and responsible users,” Wirth says.
Yaeger says that HTM can employ USB locks, encrypt hard drives on devices, and use active directory authentication, if applicable, to reduce who has access to a device.
“HTM can also keep up with patching with vendors authorization, get devices with old operating systems replaced as soon as possible. HTM and IT can work on network segmentation by creating ACLs from third-party applications and inputting these ACLs in your network switches,” Yaeger says.
How does HTM prioritize the most important first steps in a cybersecurity plan?
“At the risk of being repetitive, getting an accurate inventory in your CMMS is first and foremost so you know what is on your network. Knowing what patch level these devices are at is important. In addition, the focus could turn to the devices with the oldest operating systems, as there are no patches available for these items,” Yaeger says.
He says that the next easiest targets would be to look at vendors that are on top of their game with patch availability especially if they are under a service contract. These vendors should be maintaining the patch level on their devices.
“The key steps should be procurement, asset visibility, risk management, change management (e.g. patch deployment), end user education, incident response and device end of life. I think we are now in a better place than only a few years back in a sense that for most of these tasks we now have commercial products or published best practices that can be applied,” Wirth says.
“We need to realize that the devices we have on our hospital networks are, for the most, insecure relative to today’s cyber threats, meaning that for at least another decade we need to reduce device risks through external (network-based) measures like network segmentation, firewalls and dedicated anomaly detection solutions,” he adds
Creating an Inventory of Susceptible Devices
How does the HTM department go about the task of developing an inventory of at-risk devices?
“I think this question should start with the requirement for a complete inventory of all devices. Traditional medical device asset systems and the quality of asset inventory have not been sufficient to address the security challenge. Either because asset inventories were incomplete or lacked security-relevant information. These systems are improving and even automated systems start to appear in the market. This will lead to better inventory visibility and will allow us to specifically focus on the higher risk devices – higher risk either based on the device being more vulnerable or a device incident having higher impact potential,” Wirth says.
Wirth says that once these devices are identified, they can be protected through network segmentation, firewalls or similar measures.
“We also should not forget about device handling, e.g. the use of USB thumb drives on a device or other user-initiated actions that could expose a device,” he adds.
Yaeger believes that an accurate inventory can help with identifying devices by creating a complete knowledgebase of operating systems [and] third-party applications that are included in the device.
“Knowing if a device is susceptible or not is difficult as some of the vulnerabilities are not known yet. Having an accurate inventory is always the first step in keeping your devices, network and patients safer,” Yaeger says.
How can CMMS be Utilized?
How can CMMS be updated to include all devices which may be exposed to hacking or cyber threats?
“As I mentioned above, the challenge with traditional CMMSs is that they were not designed for security management purposes in mind. This is changing now and systems entering the market today provide these features through, for example, automated network-based discovery (improving completeness of inventory) and collection of security-relevant information like software and patch level, open ports, communication patterns, etcetera,” Wirth says.
“I am not sure you could specify what device may be vulnerable to hacking and cyber threats so the best practice may be to inventory all devices in your CMMS and try and gather as much detail about that product so it becomes mineable in the event of a cyber threat becoming known,” Yaeger says.
He says that another potential would be to purchase a third-party application, as mentioned before, that identifies items on your network. Details that this application gathers could be sent to the CMMS to update, accurately, the details of a device. This knowledge would assist in the speedy mitigation of a vulnerable device.
The experts had much more to say about this subject, but the scope of this discussion here is limited. Cybersecurity experts have a number of suggestions that can help button down a network and connected devices. There are good published guides from AAMI, NIST, ANSI and the Health Sector Council.