By Steven Hughes, Department of Veterans Affairs
Editor’s Note: This is part one of a two-part cybersecurity column. Next month’s column will include an in-depth review of what should be included in a MDCIR.
Boom! A cyber incident has occurred. What do you do? In a sequence of events, “left of boom” is the set of events that occur in the timeline before the “boom” – the moment of breach/when an attack succeeds and “right of boom” is the set of events that follows. What a defender can know and do ahead of time to both prevent and predict when “boom” will happen is priceless. The use of several tools, services and preparation may not only prevent but also reduce the impact of when an unlikely event happens and allow for a rapid response.
The health care sector has been traditionally trained how to prepare, plan for and respond to natural disasters. We have all experienced another pivot during the latest COVID-19 pandemic.
The industry, however, is less prepared to handle cybersecurity incidents, particularly those involving medical devices. Recent global ransomware and cyberattacks have highlighted the need for more robust cybersecurity preparedness to be executed in an enhanced, effective, real-time response that enables seamless continuity of clinical operations.
Knowing what to do during a cybersecurity incident with a medical device should have the same response as responding to a fire drill, performing cardiac pulmonary resuscitation (CPR) or advanced cardiac life support (ACLS). If all parties are trained to know their role and the skills needed to perform their duties, these things can become second nature. To become familiar with the Medical Device Cybersecurity Incident Response (MDCIR) all staff involved should be part of an annual tabletop exercise that goes through all the steps needed to perform a proper incident response with everyone’s role and responsibilities clearly defined.
There are many things that contribute to the success of an MDCIR, most important are the combined efforts and cooperation of many different groups. Some of the things we do on a regular basis that help contribute to the “left of boom” are establishing the continuous monitoring of medical device networks, updating medical device isolation rules and protocols, maintaining an accurate asset inventory, creating contingency plans, and automating threat prevention controls. Here is a list of things that should also be done at the medical-device level:
- Upgrading legacy medical devices from unsupported operating systems to ones that are current and receive frequent automatic update. This is not only for the base OS, but firmware and software version updates/upgrades. Work with the medical device manufacturer (MDM) on an upgrade/replacement strategy.
- The application of security patches for known vulnerabilities, zero-day vulnerabilities, as well as ensuring routine patching is performed when approved by the MDM. This also includes security updates to third-party commercial off the shelf (COTS) software like Adobe, PDF, Java and Internet browsers or their complete removal if they are not needed with agreement from the MDM. Maintain and update an inventory of software installed.
- The implementation of scanning stations for mobile media used in vendor servicing and making sure they are on, plugged in and updated on a regular basis. Ensure vendors and staff are aware of the organization’s scanning policy and the disabling of USB ports until needed.
- The utilization of multi-factor authentication (MFA) non-mail enabled accounts (NMEA) for medical device administration, removal of default passwords, as well as updating and removal of unused accounts and passwords per your organizations account and password policy.
- Making sure antivirus software is installed and updated per MDM recommendations.
- Making a “known good” backup or image of your medical device (when possible) and ensure disaster recovery procedures are implemented as part of the incoming inspection process before using a medical device clinically.
- Verify network segmentation of medical devices are maintained and up to date allowing the minimum of allowed traffic to ensure proper operation and that decommissioned devices and network segments are properly removed.
- Train staff on internal policies addressing cybersecurity and maintaining good “cyber hygiene,” handling of cybersecurity incidents, and reviewing their contingency plan on an annual basis with staff in the event that the medical device is no longer operable.
- Review and update service contracts and make sure hours of response, inventory and system information and points of contact are current and if data recovery services are included or can be added as an option.
- Review and document instructions on contacting contracted third-party service providers that host data and services such as cloud computing and storage or commercial data centers utilized by medical devices and their supportive systems.
- Conduct tabletop exercises of your MDCIR to ensure all stakeholders and employees become and remain familiar with your MDCIR plan and that the communication channels, emergency processes and contingency plans remain up-to-date and current as needed.
Some of the things that are vital after an incident has occurred – to the “right of boom” – are intrusion detection systems (IDS); security operations center (SOC) analyst alerts, review and triage; incident verification and escalation to response; indication of compromise (IOC) data collection and logging; confinement (physical or networking) and eradication.
All these efforts, combined with continuous upkeep of the connected medical devices, help ensure that everything is more secure by providing “defense-in-depth” through multiple mitigations at different layers in the organization and reduces future events from happening. Also having a MDCIR game plan for when “boom” happens, ensures proper preparedness to respond. Because in today’s world it is not a question of “if” you will experience a cybersecurity incident, but it is a matter of “when.”
Steven Hughes is a VISN 21 biomedical engineer at the Department of Veterans Affairs-Sierra Pacific Network.