By K. Richard Douglas
Cyberattacks impact every facet of society, from banking and retail to health care and every computer user. Hackers and other cyber criminals have found myriad ways to breach databases and networks as a means to acquire illicit gains from victims through ransomware or through the sale of personal data on the dark web.
“Criminal terrorists, foreign adversaries constantly prowling this digital domain represent a threat to this nation. And America’s digital infrastructure is under constant cyberattack,” said Vice President Mike Pence, while speaking at the recent National Cybersecurity Summit in New York City.
“The federal government alone experiences hundreds of thousands of digital assaults every day. And across the entire country, the number of attacks on our digital infrastructure is impossible to calculate. Our digital foes are targeting every facet of our society,” Pence said.
The level of threat that online criminals and hackers pose is a national and international concern. It has been found in breaches of information in the federal government, breaches of a major credit bureau and incursions into retailer networks and health care systems.
Our Connected World
For most people, thinking about the Internet means thinking about a system that connects their computer to sources of information. They may also think about their smartphones or tablets. The truth is, the Internet connects us to much more than these computer interfaces; it connects homes and businesses to many things. And, those things can be interconnected as well.
This is the basis for the term, “the Internet of Things,” or IoT, which describes all of the devices that access the Internet beyond a household or business computer. Appliances in your kitchen or laundry room, security systems or even your thermostat are all potentially connected to the Internet.
“Latest innovations have fueled the development of new IoT devices. Unfortunately, the focus on security of these devices continues to lag behind and are even losing ground in some cases compared to the growing list of devices in use,” says Xu Zou, CEO of Zingbox.
IoT in Health Care
Zou says that while you can’t expect consumers to become experts in all things IoT, they should be aware of two key areas when it comes to IoT. The IoT is not only in homes and businesses but health care as well.
“Consumers should be cognizant of the cost of service disruption. What can happen if IoT unexpectedly malfunctions or must be taken offline? The cost of malfunction during critical care or an operation is clear, leading to a discussion of life or death. However, many overlook the cost of service disruption as a precaution,” he says.
“Without clear visibility of the state of IoTs and the confidence to rely on such a device during critical care, procedures are often postponed. While not appearing as urgent as malfunctioning IoTs in real-time, postponing or canceling an appointment can have a similar outcome,” Zou says.
“Security of PHI information continues to be synonymous with health care security. However, many overlook the devices that contributed to one’s PHIs. They are in fact IoT or connected medical devices. When an X-ray machine creates an image and transfers that image along with the associated patient details, it is contributing to his/her PHI. When an IV pump is programmed to dispense accurate dosage of medicine, the device houses the information of the associated patient. When/if these devices are tampered with or hackers gain unauthorized access, the PHI information in addition to the device functionality are at risk,” Zou adds.
He says that Zingbox released a threat report on connected medical devices earlier this year.
“While we uncovered many insights for the creation of the report, one glaring issue was the lack of encryption used in the device traffic,” he says.
“Virtually no devices, even the ones equipped with encryption capability, were configured to encrypt traffic. This is the simplest safeguard that can be employed with very little or no additional spend,” Zou says.
Health Care’s Vulnerabilities
In hospitals, and other health care settings, the network may connect to a plethora of medical devices. There are connections between clinicians’ smartphones and other systems.
In 2015, one hacker group was identified that specifically targets the health care sector. The group’s malware was found on X-ray and MRI machines as well as on devices used to assist patients in completing consent forms for required procedures, according to Symantec.
What may be worse for the health care sector are some of the results of a report coming out of a survey done by Verizon. The 2018 Data Breach Investigations Report (DBIR) found that “the health care industry was the only sector surveyed that had more internal actors (56 percent) behind cyber incidents than external (43 percent).”
According to Verizon, “The health care industry is rife with error and misuse. In fact, it is the only industry that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry.”
Some of the reports other findings include:
- Top Three Patterns: privilege misuse, miscellaneous errors and physical theft and loss represent 80 percent of breaches within health care;
- Threat Actors: 68 percent internal, 32 percent external, six percent partner (breaches);
- Actor Motives: 64 percent financial, 23 percent fun, seven percent grudge (breaches); and
- Data Compromised: 69 percent medical, 33 percent personal and four percent payment.
The report also offers insights on how to combat attacks and found that ransomware attacks had doubled since 2017 across businesses. The report states; “Ransomware is the most prevalent variety of malicious software.”
HIPAA rules dictate the safe handling of patient information in health care. With ePHI, the access of this information to hackers has to be safeguarded. Locking a paper file folder in a locked cabinet, in a locked room, in a locked building, provides safeguards that can be easily visualized.
“The most commonly used strategies and successful breaches of cybersecurity are based on low-tech and attributable to bad behavioral practices,” says Tom Hui, CEO and founder of HSTpathways in Lafayette, California.
“A practical and low-cost remediation involves (1) a review, (2) education, and (3) compliance with cybersecurity policies and procedures. Many health care organizations are behind in one or all three of these areas,” he says.
Hui says that some of the “low-tech dangers” include: firewall – needs to be maintained and updated. Professional hackers constantly trick firewalls and get through them. Also, nurses’ access to computers is not well managed and interfaces are ripe for improvement.
“People rely on the network to be secure and protected. If a hacker gains access to network security, then everything is wide open. The vulnerabilities are around how data gets from the devices to the EHR database,” Hui says.
“When transmitting data by WiFi or cable, the data is not encrypted most of the time. I’ve not encountered a device that is natively encrypted. A lot of these devices or monitors are designed to be self-contained and sold independently from EHRs. That implies that these devices contain patient demographics and patient information, so there is an added risk of exposure. That device now sends data set, patient information – and it’s not in people’s consciousness. The protection goes down,” he says.
Hui says that once a hacker gets into a network, it’s all there and available. Hacks that can cause patient harm are related to the IoT. A hacker could gain access to the network and change the data stream being displayed on the monitors.
He also points to personnel changes and the vulnerability of LAN servers as other areas that can be zipped up for protection.
“As a general rule, quarterly reviews of personnel changes along with user roles and access should be part of the operating HR and IT departments should be coupled whenever personnel job titles and duties change that require modifications to an application’s access,” Hui says.
He says that there is a misconception about local area network (LAN) servers.
“A LAN server and application deployment is no more secured from hackers than an application operating in the cloud. They have different risk profiles. A good argument can be made that cloud platforms are better protected because of more extensive cybersecurity tools, redundancies and resources,” Hui adds.
Recurrent Themes
Across the industries that have a vested interest in protecting data and bolstering cybersecurity, a number of recurring themes are heard. While the types of incursions are many, there are some preferred methods employed by hackers.
“There are two main cybersecurity dangers in health care today. The first is an attacker’s ability to gain access (and control) a medical device in the hospital environment. The risk here is primarily that this leads directly to a demand for ransom. This is a significant vulnerability because many devices are not secure and present a significant threat to health care institutions,” says George Gray who is the CTO and vice president of research and development for Ivenix Inc.
He says that the second danger is around gaining access to protected health information (ePHI).
“Attackers can use this patient information to steal a user’s identity or attack them financially. This threat is primarily a concern for EMR systems. But as device vendors, we need to do our part by not being that doorway onto the hospital network,” Gray says.
It is a ransomware concern shared by other professionals who focus on cybersecurity.
“Ransomware isn’t going away. It is cheap, easy and profitable. Most health care systems are only a phishing email away from a breach,” says Rich Curtiss, chief information security officer, cybersecurity and risk management, at Clearwater Compliance.
“However, the threat landscape has changed and a new actor is crypto mining. This is a form of malware that resides on a computer, usually undetected, which uses the computer cycles to execute complex mathematical computations to generate computer currency such as ‘bitcoin.’ While a dissertation unto itself, crypto mining is considered a breach and must be assessed for probability of compromise. A far more insidious threat is the unmanaged IoT landscape across a health care system. This is still largely untreated and isn’t centrally managed,” Curtiss says.
HTM’s Role
If every medical device operated in a stand-alone environment and none required software, then HTM would have no interest in cybersecurity. That is far from being the case. As technology has advanced in recent decades, the reality of the connected device, operating on software and often storing ePHI, has required HTM to be keenly aware of threats and to remain vigilant.
“The question no longer exists whether HTM is aiding IT; HTM and IT should be working together. It is a must for every hospital,” says Salim Kai, MSPSL, CBET, ABET PEV, biomedical engineering manager for Kettering Health Network in Kettering, Ohio.
Kai says that the traditional CMMS is limited in aiding HTM professionals to quantify risks and use data to drive daily decision making. He says that beyond inventorying the connected assets and cataloging their network parameters, quantifying the risks, etc, the CMMS needs to interface with other applications to be able to determine in near real-time what is normal for any medical device connected on the IT network and take action.
“For example, quarantine the device in question, open a work order [and] quantify the type of threat,” Kai says. “The traditional CMMS is not designed for networked medical devices. There is a need for the CMMS to interface with IT configuration management databases to track hardware and software and their relationships in near real time.”
Further, he says that hospitals need to focus on their critical devices and the devices’ daily activities to ensure they are secure.
“Critical devices and medical device systems are a smaller percentage of the overall connected device fleet within an organization. Critical devices and systems like the electronic health record and any medical device that can bring clinical operations to a halt in the event it becomes compromised,” Kai says.
“Hospitals should engage vendors about what they are doing to secure/patch their devices and ensure they receive the latest patches within a reasonable time. For a while, we were concerned about Windows XP systems, connected to the IT network,” he says.
“Many medical devices today operate on Windows 7 and Microsoft announced that it no longer supports Windows 7 after 1/14/2020. In less than two years, we will be having the same conversation about Windows 7 as we did with Windows XP,” Kai adds.
He says that today, many manufactures are not ready to upgrade to Windows 10. Hospitals need to include a clause in their service agreements for new medical equipment that specifies the upgrade to Windows 10.
He recommends that IT, HTM, facilities engineering, supply chain, value analysis professionals and others who can provide insights should be meeting on a regular basis to collaborate and plan ahead.
“We have seen significant transformation in the past few years in which IT and biomed/clinical engineers continue to work closer together. There is still much work to be done. One area in which biomedical/clinical engineering departments can help IT is to provide additional device context,” Zou says.
“Many IT-based devices are well-defined general-purpose devices that can be characterized by IP addresses. Connected medical devices are not. IV pumps, X-ray machines and ultrasound machines all have IP addresses, but they perform vastly different functions, range in device count from a hand-full to several hundreds and are associated with different levels of criticality. The lack of device context has historically hindered the effectiveness of the IT department,” Zou adds.
Sharing real-time device inventory, discussing the ramification of quarantining or off-lining a device, and reviewing abnormal behavior of connected medical devices with the IT department can go a long ways to block hackers.
He says that another opportunity for collaboration is the deployment of tools that interoperate with traditional IT tools.
“Traditional IT security tools such as firewall and NACs have been ineffective in securing connected medical devices due to the lack of context. One IP address is the same as another IP address. Tools that can provide insight into the device itself, including the identify, category and critical nature of the devices and interoperate with traditional IT tools can leverage that intelligence to terminate connections, quarantine a device and segment the network effectively,” Zou says.
There may be some areas where biomed is restricted in doing all that can be done.
“Clinical engineering or biomedical services are largely in a ‘cybersecurity vacuum’ when it comes to managing medical devices. Couple that with the vendor ‘lock down’ on device maintenance and you have a recipe for a compromise,” Curtiss says.
“Technical scanning of devices is usually prohibited by clinical engineering because of the potential to unintentionally disable a device. This leaves the status of the device in an unknown state and security vulnerabilities may be unpatched and vulnerable to exploitation,” he says.
As Kai suggested, Curtiss says that it is critical that health care systems establish a governance strategy which includes IT, information security and clinical engineering working in a collaborative process to identify and respond to medical device vulnerabilities.
“This is a clinical and patient safety issue. Some of the more progressive health care systems have recognized this and are employing a quality response to more effective management of medical devices,” he adds.
“Inventory all medical devices and work with vendors to assess the security risks related to each. Then put the proper mitigations in place to reduce that risk. For those devices where vulnerabilities cannot be addressed adequately, make these risks known and consider plans to replace these devices over the long term,” Gray says.
Knowing what is in the inventory of connected devices and segmenting can help with risks as well, says Zou.
“Poor network planning contributes significantly to amplifying the vulnerabilities of connected medical devices. Our research has found that the leading device on network segmented for medical devices is not medical devices,” he says.
“In fact, PCs make up more than 40 percent of the devices. The connected medical devices in this network is then exposed to all the malware, ransomware and viruses that can be downloaded by the PC and target the connected medical devices. Careful network planning and accurate micro segmentation can alleviate much of the issues connected medical devices face,” Zou says.
He says that many organizations unfortunately, do not maintain a real-time accurate inventory of their connected medical devices.
“This is one of the main reasons why organizations are challenged to plan their networks effectively. How can you set up your network well to house devices you don’t know you have?” he asks.
Training for the Battle
One route that would allow an HTM professional to be more prepared to address cybersecurity concerns is additional training. Several professional designations and programs of study exist to that end.
“Comptia A+ is a good one to start with, then if you know a little about networking you can go straight to the Comptia Security,” says Terry Boyles, who works in biomed at Parkview Health in Fort Wayne, Indiana, and who is in a hybrid position because of his training.
“I did the A+ and network and am working on the security now. Another good one is the CCNA. I have not tried that one yet. I have heard that it’s hard and it is recommended to take it in the two parts and not the single big test,” Boyles says.
Boyles adds that luckily most medical devices reside inside the hospital firewall.
“It is very helpful to try and keep them on their own VLANs. Depending on the size of the institution, if you can have your network instead of being on the hospital backbone, that helps,” he says.
With no let-up in the rate of cyber attacks and the prospect of making money via hacking, the work of IT, biomed and third-party providers wages on. A hardened defense will only be possible with information, preparation and a thorough assessment of all connected devices.
There are benefits to interoperability in the health care setting and then there are bad people who think the benefit is to allow them to prosper.