By Nadia ElKaissi, CHTM, and Emma C. Nehring
Picture this: A health care staff member notified your healthcare technology management (HTM) department that a medical camera monitor, in an ICU patient room, started moving on its own and sporadically shutting down.
After the HTM department sequestered the device, it was found that the equipment did not have the proper firmware to protect the equipment from cyberattacks, and the password was disabled. In addition, an unusual software was installed on the device. Based on the investigation, one of the major outliers was that the device was utilizing the guest Wi-Fi for connectivity. Something seemingly as innocent as a guest Wi-Fi had far more reaching implications.
Globally, there is a strong demand for Internet of Things (IoT) devices, particularly in the medical field. In fact, CISCO predicted that the number of networked devices is expected to increase from 18 billion, calculated in 2018, to approximately 30 billion in 2023. Unfortunately, the improvement of interoperability adds its own set of risks that many manufacturers may not take into consideration. Take the baby monitor for example. The device is an appealing type of equipment due to its size, ease of installation and cost effectiveness. While the impressive features may convince it to be a good sell, many were found to have minimal security layers which flagged the devices as a significant security threat. Some of the equipment was even found to have no encryption for video feeds, hard coded passwords that are easily hackable and limited user authentication which would allow anyone to add user accounts. The number of vulnerabilities found in new IoT devices are constantly growing and, therefore, requires an equal emphasis on the importance of ensuring medical devices are managed and secured on a controlled network.
Some may pose the question, “Does it matter what wireless network you use if both provide network connectivity?” The short answer is, “Yes.” The guest Wi-Fi is a public Wi-Fi which allows any wireless device to connect with little network monitoring. The minimal security layers may open the door for hackers and provide an easy access to other connected devices. It is because of this potential risk that hospitals or corporations typically uses a private network. A private network is a trusted network which goes the extra step to decrease unnecessary connections, increase security, speed and give a scalable network. The network also gives the network administration the ability to segregate devices into Virtual Local Area Networks (VLAN) and implement vulnerability management with all devices on the network. The separation allows for the overall network to be protected if one system or device is exposed to cyber-attacks. A private network also will typically have additional layers of firewalls and/or Access Control Lists (ACLs) to control the network traffic between devices/systems. The end goal is to limit the outside connections and/or subnets, advance with caution and apply the highest security measures possible to ensure data protection. Developing a list of allowable Internet Protocols (IPs), ports/ protocols, and implementing a vulnerability management system are some of the important steps to have proper cybersecurity hygiene.
Now, you may still be saying, “If my phone was hacked using the guest Wi-Fi, it wouldn’t be that big a deal. I just have Lord of the Rings pictures when I went to New Zealand.” The issue some do not realize is that the methods used by ransomware to infect computers/systems can come in several forms. The majority of Internet-connected devices have the potential for vulnerabilities, and hackers can potentially use a phone or computer as the gateway to other systems.
In addition, network cyber-attacks are becoming more prevalent in medical workplaces due to the increased connections required to develop the “oh, so beautiful” and necessary network infrastructure. The interoperability is an important aspect for medical staff, since it provides products that are easy and reliable to manage items such as records, diagnose patients and monitor results. An example can be shown with one of the most popular networked medical devices in a hospital, the hospital infusion pump. The National Institute of Standards and Technology (NIST), published information about the potential cybersecurity risks for facilities that have infusion pumps. The publications expanded on the systems cybersecurity vulnerabilities which, if attacked, could lead to access of patient data, manipulation of equipment functions, compromise of SSID password (allowing lateral movement through the network), and modifying doses.
Although patches have been developed to remediate many of the vulnerabilities, if facilities are not diligent to ensuring the systems are protected, the results may directly impact patient safety and have the potential to expose patient data. It is increasingly important to make sure that remediations of vulnerabilities and monitoring of networked devices are ongoing to ensure the safety of our patients and their confidentiality. Focusing on firewalls, Access Control Lists (ACLs), user authentication, elevated privileges, and encryption, are a few that will help secure your network. The likelihood of a cyber-attack happening at a company or hospital is only growing, and the only way to shy away hackers is by securing your wireless networks.
The health care field has an important job when protecting medical devices, which starts with controlling the use of the public network to ensure maximum cybersecurity. The first step is securing the guest Wi-Fi and limiting a guest’s temporary Internet access. Ideally, the guest Wi-FI and hospital or company Wi-Fi are wholly different networks. Guests using the guest Wi-Fi in a hospital or company shouldn’t have access to the hospital’s private network. This separation can be achieved by firewall or ACL rulesets to block any unwanted traffic to the other networks such as untrusted websites, apps and downloads.
In addition to enforcing authentication, the bandwidth can be controlled to ensure the Wi-Fi is used for the right purpose. Guest should only require approximately 25 Mbps to browse the Internet, use social media and send emails. As the number of networked devices and cyber threats increase and evolve, it is our job as HTM professionals to secure these devices to the best of our ability and to protect the patients and end users. While it is easier to connect networked devices to the guest Wi-Fi, ease cannot be compared to the security risks if the devices were compromised. Ensuring appropriate User Acceptance notices (splash pages) are posted, providing more staff training on guest Wi-Fi and other safeguards will help improve the security of the network.