By Steven Hughes, Department of Veterans Affairs
Editor’s Note: This is part two of a two-part cybersecurity column. Last month’s column is available at 1TechNation.com.
In October 2018, the FDA supported the development of the MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook . The playbook describes the types of readiness activities that will enable health delivery organizations (HDOs) to be better prepared for a cybersecurity incident involving their medical devices and gives product developers more opportunity to address the potential for large scale, multi-patient impacts that may raise patient safety concerns. In the case of an event, one should follow their Medical Device Cybersecurity Incident Response (MDCIR) standard operating procedure (SOP) which should have the following 4 main steps of: Identification, Containment, Eradication and finally the Recovery of the medical device or system.
IDENTIFICATION
Identifying what happened and verifying that an incident occurred requires many steps. Reporting an incident through proper defined chains of communication (both internally and externally) as well as “out of band” communication in case email, phones, etc. are not available and containment to prevent patient harm should be top of mind in first responding to an incident. When a medical device cybersecurity incident is identified as an adverse event, suspicious activity, compromise, or loss of functionality it must be removed from providing patient care services as soon as possible. Also everyone’s role in an incident must be enacted efficiently and quickly to provide a rapid response to a cybersecurity event. A rapid response can prevent the spread of malicious code or viruses to other devices on your hospital network as well as losing Protected Health Information (PHI). This should be done in the first 24 hours of an incident. During the identification process staff should document medical device information including: Number of host(s) affected; System function; OS(s); Vendor; Model #; IP address; Host name; Anti-virus version; Virus/malware name; suspected cause of infection; activity detected on the infected device (scanning, communications, etc.) pertaining to the incident for all affected devices.
CONTAINMENT
Before dealing with an incident, research of the malware and providing information on threat vectors and propagation methods of the malware as well as the reviewing of network segmentation in place assists in root cause analysis of the incident as well as for planning mitigating measures. The Cybersecurity & Infrastructure Security Agency (CISA) and Medical Device Manufacturer (MDM) websites are a great place to start to help in the identification and mitigation of an incident. Staff will need to identify steps to assess the impacted device and provide an Incident Recovery Plan to restore the affected medical devices back to a secure operational state. Staff need to provide a clear communication to clinical staff, hospital administration and any key stakeholders and regularly update them with this information and document their plan of action and timeline.
The first action of healthcare technology management (HTM) staff is to remove an infected medical device from the hospital network as soon as possible (without directly impacting patient safety – this must be a coordinated effort between HTM and the clinical staff and may involve weigh in from the medical center director and C-suite). Consulting with all stakeholders so as not to interrupt patient care and accepting risk if there is continued use of a compromised medical device in important. This accepted risk should be documented with a plan of action to remove the device from the network when it is safe to do so.
When there is no direct impact to patient care, the HTM staff should remove the infected medical device or system from the hospital network by either physically removing the devices connection or disabling any wireless connections, putting a restriction in the router configuration to prevent network traffic or any method deemed for isolating all network traffic to and from the medical device. If further investigation is needed, the system should not be powered down or run any remediation tools which could potentially destroy evidence in root cause analysis. HTM staff will also contact the MDM to inform them of the incident and ask for assistance in coordinated recovery of the medical device to a secure operational state. Ensure that no other devices on your network are also affected through continuous monitoring of network traffic and the running of antivirus scans to identify if any infection remains.
ERADICATION
The HTM staff shall work with the MDM to eradicate malware and restore the medical device back to MDM specifications – this may involve an entire reimage, hardware replacement or even full replacement of the medical device depending on the severity. HTM staff will also have to ensure the passwords for any local users of the affected device are changed; in the event the malware has key logging capabilities. Before placing the device back on the network, HTM staff will also ensure all the latest patches and updates have been applied (system OS updates, antivirus updates, Java, Adobe, Office, etc.) and configured to operate the same as before the incident. If storage media is replaced be sure all data, configurations and settings can be safely retrieved before following proper sanitization and disposal processes.
RECOVERY
The final role is to confirm that the incident is resolved, and that all information (if possible) has been fully restored from backups and the medical device system has been fully restored to the prior condition before the event happened. This also allows for a review of your backup and disaster recovery procedures, which should also be tested and verified on a routine basis and automated if possible. Ensure you also have several offsite backups as well just in case your onsite backups do get compromised. If possible, create “snapshot” images of your critical systems to allow for quicker recovery. Make sure that some of the devices containing your backup are not permanently connected to your network, because advanced attackers generally will target connected backup devices and solutions first to make recovery more difficult. If you are using a cloud service for your backup and recovery – Disaster Recovery as a Service (DRaaS), ensure that your provider protects previous versions of the backup from being immediately deleted and allows you to restore to them as part of your agreement.
It is recommended that prior to introducing the medical device back into service that you ensure no further infection of malware remains. Ensure that backups are connected to known clean medical devices before starting the recovery process. Before restoring, it is recommended that the device is also connected to a known “clean network” for testing and monitoring of the medical device in a “sandbox” to prevent and monitor any further infection. Once this is done, verify with clinical staff that the system is operating properly. Your disaster recovery process should also be tested along with your annual tabletop exercise following your established MDCIR procedures, so staff are familiar with the processes and time needed to restore, configure, rebuild virtual and physical environments, know what to do if backups are unusable, and enact your contingency plans so you know how everyone would continue to operate critical services if they don’t come back online. These should be practiced on a regular basis akin to a modern-day fire drill.
Notifying authorities and regulatory bodies about a security breach of your organization is a key step of responding to a cyber-attack. Please be sure to follow your organizations guidelines in proper communication and transparency of the breach, especially if PHI is involved, and follow proper HHS HIPAA Breach Notification requirements. The U.S. Secret Service provides guidance for how and where to report a cyber incident at Preparing for a Cyber Incident. Likewise, CISA has a new website concerning ransomware that is a great resource as well at stopransomware.gov.
LESSONS LEARNED
At the close of an incident a final report should be made to all stakeholders and reporting agencies and used for review, education and improvement. Continuous improvement is important in the maturation of any MDCIR and helps to prepare for the next unknown incident as well as documenting and adapting from lessons learned not only inside your organization, but also from incidents that have affected other organizations. Organizations must minimally review contingency and data recovery plans annually to make sure they are up to date and can be utilized during and after an incident. If you do experience an incident, please share your experience with others so they may learn and benefit from your best practices and lessons learned.
At the time of this writing, CISA released Cybersecurity Incident & Vulnerability Response Playbooks that are a great reference for incident and vulnerability response.
Steven Hughes is a VISN 21 Biomedical Engineer with the VA Sierra Pacific Healthcare System at U.S. Department of Veterans Affairs.
