By Connor Walsh
Encryption, hacks, ransomware, auditing, backups, permissions. These are just some cybersecurity terms that are undoubtedly heard on a consistent basis by the modern HTM professional, but the importance or meaning behind them may not fully be understood. Now more than ever, data protection of medical devices and systems must be considered for any new system deployed into your environment. Installing insecure, obsolete devices can have a crippling impact on your organization.
At the beginning of this year, the HIPAA Journal reported a 196% increase in total health care data breaches between 2018 and 2019. This amounted to a total of 41,335,889 breached records, which was the largest amount in recorded history. Protecting your organization’s data and proper data handling techniques can be traced back to understanding three core concepts: confidentiality, integrity and availability. Together, these principles form a security model that is arguably the most important terminology in cybersecurity. Let’s explore each of these topics, relating their importance to HTM.
Confidentiality can closely be related to privacy, that is, ensuring data is only seen by those who need to see it. Imagine for a second you have a cardiology PACS workstation in a high traffic area. How do you make sure that only the approved cardiologists are able to login? Do they login with a username/password or a smart card? If someone were to steal that workstation, is the hard drive encrypted to ensure the data cannot be read? Common techniques in today’s health care for ensuring confidentiality are encryption (both encryption at rest and in transit) and improved authentication techniques, such as two-factor authentication (i.e something you know, such as a password, and something you have, such as a smart card). As more medical device manufacturers start taking cybersecurity principles more seriously during new product development, these features are often offered, and should be considered when rolling out new medical equipment. Unfortunately, even with the strongest controls in place for ensuring confidentiality, the weakest links in any organization are the employees. Security awareness training for different medical systems while on environment of care (EoC) rounds and constant security education of staff are other methods for ensuring that confidentiality is maintained in your organization.
Integrity is centered around guaranteeing the accuracy of data and making sure that there are no unauthorized changes to a system or data. In HTM, some examples of protecting data integrity are file share permissions, work order documentation and audit logging. For example, let’s say you had one file share location that housed data for both pathology and radiology. You would not want to allow permissions for pathologists to access the radiology data unless there was a valid reason. Allowing this opens the risk for a pathologist to accidentally (or maliciously) delete/modify the radiology data, which would impact its integrity. Work order documentation is also a form of ensuring integrity of medical systems. Keeping a detailed record of equipment maintenance tracks all major changes to that device, allowing this history to be referenced if there was an issue with that system in the future. Audit logging is another means for protecting data integrity and is one that is often overlooked by HTM and manufacturers. If you have an agreement with a vendor for remote access into your servers, are you alerted when they remote in? If they were to remote in, do you have an audit trail of all changes made on the server to hold individuals accountable? When users access a system on which they know their actions are tracked, they are less likely to misuse the equipment.
The final corner of the CIA triad is “availability.” This is the idea of ensuring data is readily accessible when needed. In HTM, preventative maintenance is a form of availability, as it serves to ensure the function of medical systems for the long term. Other forms of availability are system backups, which act to preserve data in the event of a hardware failure. Are you prepared in the event of a disaster? Do you know who to call and what needs to happen if your GI PACS system were to crash? A common technique to protect availability of data is to run proactive table-top exercises for disaster recovery. Set up a meeting of all necessary parties and run through a fake scenario as if you just arrived at your facility and a critical server was down. Typical cyber-attacks a health care organization may see on its systems, which affect availability, are distributed denial of service (DDoS) and ransomware attacks. Both prevent users from accessing data where and when they need it. Earlier this year, the largest private hospital operator in Europe, Fresenius, was hit by the SNAKE ransomware. The assault held Fresenius IT systems hostage, directly impacting system availability. The cyber criminals behind the attack demanded payment via digital currency in order to restore access. They gave Fresenius a deadline of 48 hours before they would publish all data on a public online forum, which ultimately would result in a major loss of confidentiality as well.
The overall idea of the CIA triad is that one cannot operate successfully without the other two. You cannot have data confidentiality and integrity if the system crashes and all the data is lost (i.e no availability). Data availability and integrity controls deteriorate if you have a medical system in a high traffic area holding sensitive information that is set to autologin (i.e. no confidentiality). And data confidentiality and availability controls are weakened if you have a medical device using a file share with “everyone” set as full read/write permissions (i.e. no integrity). It is of utmost importance for HTM professionals to take into consideration all three of the CIA principles when procuring and installing new medical equipment, especially in today’s ever-evolving cybersecurity landscape.
Connor Walsh, CISSP, is a supervisory clinical engineer for the VA Boston Healthcare System. The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.