By K. Richard Douglas
Standards for cybersecurity have been developed across many industries to standardize and create more efficient technologies, practices, connectivity and security.
This last element in standards has taken on a life of its own as more items in the home and workplace become connected to the Internet. The Internet of Things (IoT) has birthed a smorgasbord of devices that are designed to be more user-friendly through two-way communications, the capacity to monitor and the ability to perform remote diagnosis or troubleshooting.
This universe of connected devices is growing at a blistering rate and most of these devices are “unmanaged.” This presents many opportunities for cybercriminals. It also produces just as many challenges for those tasked with protecting consumers, patients, non-public and proprietary information.
The focus today is to develop technologies that will allow consumers, businesses and developers to connect to, and build, reliable and secure IoT ecosystems.
Concurrent with these ramped up efforts to fortify an increasing number of devices that are vulnerable to hacking and cyberattack, has been an increase in the sophistication and brazenness of attacks carried out by intruders and infiltrators.
During the second half of 2020, the Microsoft email accounts in the offices of 27 federal prosecutors were hacked. Some believe that the incursions were connected to the SolarWinds cyberespionage campaign.
During this year and last year, the increase in cybersecurity threats to all industries has increased significantly. This treat continues to escalate against health care as well. In the interest of providing the most current information on the topic, thought leadership cybersecurity experts share their insights.
In particular, ransomware attacks have had a devastating impact on businesses, municipalities and health care organizations. The consumer has not been spared from the impact of these attacks on business. In May, a ransomware attack on Colonial Pipeline caused a panic on the East Coast as drivers flooded gas stations before pumps ran dry.
Ransomware attacks on SolarWinds, Microsoft, JBS, the Republican National Committee and Kaseya caused varying degrees of response.
While Kaseya claims not to have paid out any ransom for a decryption key, Colonial Pipeline was not so lucky.
In the health care setting, there arises a number of concerns related to the threat surface that are related to the mishmash of consumer devices brought into the health care space, including voice assistants, electric vehicles, security systems and vending machines. HVAC controls are another vulnerability.
In addition to concerns about the growing number of devices communicating with the network are the legacy operating systems with no support or updates. This was a problem with most ATM machines at one time. This is true of many IoT devices and nearly a fifth of medical devices.
If the pneumatic tube systems in hospitals are vulnerable; then what else is? Yes, even those systems that transport blood, medication, urine samples or tissue could be hijacked.
The big wakeup call came in 2017 for the health care sector with the WannaCry ransomware attack in the United Kingdom. In September of 2020, the death of a 78-year-old patient in Germany was attributed to a ransomware attack that prevented her transport to the closest hospital.
An alert posted by the National Cyber Awareness System in October of 2020 warned, in part, of “an increased and imminent cybercrime threat to U.S. hospitals and health care providers.”
The U.S. Food and Drug Administration’s (FDA’s) Center for Devices and Radiological Health (CDRH) published the discussion paper “Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities” to seek input from stakeholders. HTM professionals have many areas of focus as a result of cybersecurity that didn’t exist even five years ago. One focus is mitigating risks. There are many stakeholders in this effort, including IT, compliance and biomed. Patching and updates have never been more important, for example. This means being aware of risks in order to stay ahead of them with updates.
There are devices that use out-of-date operating systems that are no longer supported by manufacturers. Old, out-of-date, unpatched devices can be the Achilles heel of a system. What do you do with legacy devices that can no longer be patched? This needs to be another focus for HTM.
Segmentation is a necessity. This may be the last resort with these devices if replacement isn’t in the cards.
A straight line has to be drawn between the effort to harden the system against cyberthreats and patient safety. An awareness of every device in the inventory that may present a vulnerability, its status and location, are instrumental in the HTM professional’s ability to keep one step ahead of the bad guys.
For this reason, it is beneficial for HTM departments to include specialists who spend most of their time focused on cybersecurity efforts.
Knowing every device that is on the network is important and often surprising. Often, evaluation tools are required.
HTM’s Role Apart from IT
One of the limitations in the past to monitor and detect unusual activity in medical devices has been the methods employed.
“If you are looking for threats, I would say it is malicious network traffic. This is very difficult to spot, especially in health care. Standard IT devices communicate in TCP/IP and DICOM. Medical devices and OT technology have their own protocols so traditional security tools can’t understand IoMT device communications,” says Ty Greenhalgh, HCISPP, senior account executive, OT security with Nuvolo, headquartered in Paramus, New Jersey.
He says that the problem with traditional methods is that they can’t shut down the communication because it could impact patient care.
“New medical device security monitoring tools can perform deep packet inspection on the network communication of these devices and identify anomalous behavior,” Greenhalgh says.
There are technical and business risks involved in keeping devices available to clinicians and a cyberthreat can knock devices out of use. It is important that HTM has contingency plans in place when a cyberattack takes place.
“From the HTM perspective, I broadly consider two actions to promote medical device cybersecurity,” says Dennis Fridrich, vice president of information security, compliance and disaster recovery at TRIMEDX.
“The first takes into account planning, training and communication needs. It’s critical to have business continuity and disaster recovery plans in place to make sure certain devices can be restored to the environment of care quickly and with the correct configurations. Equally important is making sure HTM team members are well trained and aware of their responsibilities in case of a cyber event,” he says.
Fridrich says that, lastly, consider creating a direct line from the HTM team to the CIO/CISO to streamline communication and avoid preventable missteps.
“The second action is to ensure understanding of the medical device technology that’s in use. The HTM team members are the medical device experts, and technicians should familiarize themselves with device configurations and capabilities published on manufacturers’ MDS2 forms. Keeping devices properly configured and patched helps mitigate future cyber risk,” he says.
As mentioned earlier, knowledge of every connected device and its location is essential.
“Denial of service and/or compromising the integrity of the device should be a top concern for HTM professionals,” Greenhalgh says.
He says that if security is penetrated, ultimately it is the patient’s safety and outcome that is paramount.
“While it sounds rudimentary, establishing and maintaining a complete and accurate inventory of all connected and non-connected devices is a baseline for addressing cyberthreats. You can’t detect, protect or respond to attacks on devices you don’t know you have,” Greenhalgh adds.
Beyond an up-to-date list of every connected device in inventory, it is also important for HTM to coordinate with IT to fully visualize the threat surface.
“HTM is often siloed and operates as its own ecosystem to the point of operating outside of IT and enterprise security policies and standards,” says Frank Black, CISA, CISM, CISSP, principal consultant with Clearwater Compliance in Nashville, Tennessee.
He says that often HIT devices are violating enterprise standards and are not on the radar of enterprise cybersecurity risk management.
“Communication between HTM owners, IT and IT security is the single most important first step in identifying the organizational risk that HTM devices bring. In concert with communication, HIT devices must be included in the enterprise risk analysis to identify and mitigate the risks associated with these devices to an acceptable level,” Black adds.
He also points out that the move to the cloud presents unique challenges (as well as benefits) and requires a different security mindset than the traditional “hosted on site” mindset.
In July, Black wrote a post titled; “The Paradigm Shift from ‘If’ to ‘When’: Ransomware Prevention and Mitigation Strategies for Your Healthcare Organization” for Clearwater Compliance’s blog. The post was replete with facts, stats and tips for hardening the health care environment.
Black points out that employee education is key because every employee potentially accesses the Internet and can be a vector for an incursion.
In the post, he says that “Spam and phishing emails lead the top of the list as a successful attack pathway, opening the door to some 67 percent of successful attacks followed by: lack of security training: 36 percent, weak passwords: 30 percent, poor user practices: 25 percent and malicious websites: 16 percent.”
In addition to knowing what devices are on the network and the location of those devices, Black also points out that it is important to know where sensitive data is and where it flows and who has access to it.
“It’s also more than just knowing where the data lives. You also have to look at transmission and data at rest. Where does the data go as it moves from one application to another? Is it shared with a third-party vendor? Where is it and how is it handled there?”
With regards to that data, Black says; “You must know where your sensitive data is in order to provide reasonable and appropriate data protection. Maps of sensitive data flows should include all of its paths, entry and exit points, and storage locations. Include security devices and applications such as firewalls, routers, IDS/IPS. Update the map whenever you add a new data flow or you change a security feature.”
New Considerations Birthed by the Pandemic
While cyberattacks increased in 2020, the pandemic had already instigated changes to health care delivery, which included more reliance on technology, including consulting with patients remotely.
“COVID required the relaxation of certain regulations which allowed telehealth. This has created a larger attack surface with components that did not necessarily undergo traditional cybersecurity scrutiny,” Greenhalgh says.
He says that it seems that the bad actors out there are capitalizing on the COVID-19 pandemic as an opportunity to attack these vulnerabilities while health care is in a state of emergency.
“Ransomware attacks are increasing. The health care sector leads all other industries in ransomware attacks and breaches. There does not appear to be any slowdown in these attacks. HDOs may consider going back and performing more thorough risk assessments on the devices and components that have been recently added to support telehealth,” Greenhalgh says.
Fridrich says that a number of new cybersecurity considerations have resulted from the pandemic.
“The use of personal devices that do not meet commercial security standards is on the rise. While these are necessary for telehealth, since they don’t always meet security requirements, they’re more susceptible to adware, spyware and phishing attacks,” he says.
He says that cybercriminals have also begun to target applications as an entryway for device hacking, raising concerns over application security within hospitals.
“Health care providers should encourage telehealth patients to update to the latest versions of the application and operating system software to be as secure as possible,” Fridrich says.
In addition to patient communications, the changes created by the pandemic created an impact on health care workers.
“Bad actors, especially in the ransomware area, have been taking advantage of the changes in health care operations brought by the pandemic. We have seen the shift to a remote workforce and an increase in telemedicine create a more complex security problem and the furloughs/lay-offs of IT and IT security personnel contribute exponentially to that challenge,” Black says.
HTM departments can address this escalating threat to business operations and patient safety by engaging in as many training opportunities as they can. Besides the services provided by vendors who specialize in cybersecurity, many of those same companies offer blog articles and webinars on securing the health care environment. The TechNation Webinar Wednesday series also provide insights into this complex topic from time to time. Find out more at WebinarWednesday.live.
HTM professionals also have a variety of professional certifications they can earn that will prepare them for a more specialized role on their teams as network and cybersecurity specialists.
When the government warns that the threat is increasing; HTM must respond with knowledge and action.