Cybersecurity, 3D printing and artificial intelligence continue to be buzz words throughout the healthcare technology management world. Cybersecurity is an especially hot topic among biomeds and clinical engineers as more and more hackers seem to be focusing their crosshairs on the health care industry.
In an effort to keep readers informed about the latest cybersecurity trends, TechNation invited industry experts to chime in. The experts share what to be wary of in 2020 as well as valuable tips and insights into this ever-evolving segment of the HTM world.
Participating in the roundtable article on cybersecurity are Medigate CEO Jonathan Langer, Cynerio CEO and Founder Leon Lerman, CyberMDX Vice President of Business Development Safi Oranski, MedStar Health Director of Health Technology Security Inhel Rekik and Nuvolo Director of Product Management Andrew Sweet.
Q: What is some basic information HTM professionals need to know regarding cybersecurity?
REKIK: Information security needs to be embedded in HTM processes as more and more medical devices are now connected. HTM needs to know what wormable vulnerability, exploit and threat means in order to perform a risk assessment of the security vulnerability and assess likelihood of it being exploited within their environment. They need to be able to read an ICS-CERT security advisory, assess the criticality of the vulnerability and understand the recommended mitigation.
LANGER: Effective cybersecurity of health care’s dramatically expanding IoT landscape requires a modernized, more coordinated approach that includes asset tracking, maintenance and management. Although forward-thinking HTM leaders now recognize that professionals in IT/IS security, biomed, clinical engineering and even supply chain management (SCM) must converge to effectively address the risk, the cross-functional collaborations required to resolve the problem remains hit/miss. In addition to IT/IS security leadership, biomed, clinical engineering and SCM leaders must be stakeholders in the solution investigations/buy decisions now being made. Beyond IT/IS security professionals, not only are HTM professionals the ones who buy, maintain and manage IoT devices, but also, some of the highest value emerging use-cases are directly relevant to their workflows.
LERMAN: No device is risk free, especially network-connected devices. And in a hospital environment, medical devices are the weakest link: they are not designed with security in mind, have extensive life cycles and often cannot afford any downtime. Collaboration is key – no hospital IT organization has the same access to clinical assets that HTM professionals do, and so it is important for those teams to work together, along with InfoSec and the medical device security engineer (MDSE), if one is already in place.
Oranski: One of the biggest challenges in establishing a cybersecurity strategy is gaining visibility into the devices in a hospital’s ecosystem – both managed and unmanaged. Medical devices, IoMT and IoT assets are more ubiquitous than ever before and HTM professionals must help institute a cultural shift within their organizations whereby HTM, IT, IS and the C-level all work together in staff-wide cybersecurity awareness initiatives. Silos amongst these departments must be broken down in order to understand asset inventory. What devices are connected to the network? What does the attack surface look like? What are the risks associated with each device?
SWEET: A lot of hospitals are looking for that “magic pill” that will solve all their cybersecurity risks, but they need to understand that cybersecurity for medical devices is a people, process and technology problem and solutions must address each area. People and processes need to be aligned to coordinate procurement, security assessment, secure deployment, vulnerability management and secure disposal of the equipment. Technology must provide a single repository of all device security risks, controls and control procedures as well as risk scoring, correlation of risks across the fleet and prioritization and organization of the risk remediation work.
Q: What are the latest developments in cybersecurity?
Rekik: The latest development in medical device security has been the revision of the FDA premarket guidance. Medical device manufacturers are now required to provide the Software Bill of Materials (SBOM) which is the list of third-party software included in the medical device in machine readable format. HTM needs to determine how they can incorporate this information in their vulnerability management program. The MDS2 had a makeover and has now 349 lines to include details about cybersecurity updates, SBOM and remote services. However, the biggest development of all was the fact that the FDA started issuing recalls of medical devices due to security vulnerabilities. In addition, the FDA and DHS have released their first joint vulnerability disclosure which was about URGENT/11 vulnerabilities.
LANGER: The ability to passively “sniff” network traffic to fingerprint the originating/transmitting IoT devices and, via integrations, parse/send the relevant, collected data to the appropriate tools/workflows of all the aforementioned professionals, is not a nice improvement to existing tools. By combining a real time, dynamic and fully attributed IoT inventory capability (e.g. continuously collected MAC, IP address, serial numbers, firmware details including OS versions, application versions, etc.) with each device/system’s respective mission profile (i.e. authorized use cases, connections, etc.) and then, via integrations, send those contextualized data to firewalls, NAC and SEIM, long-standing gaps in the current ecosystem toolsets have been finally bridged.
LERMAN: Any answer to this question will be not be current by the time this article is published. New vulnerabilities are published daily. Ransomware is old news, but as relevant as ever (a recent study shows correlation between ransomware and data breaches and an uptick in fatal heart attacks). Awareness is growing around the inherent risk in network-connected health care IoT, however those devices are a blind spot for traditional security solutions.
Oranski: Some of the main trends we see include:
At CyberMDX we see in the field that these trends are sparking new approaches to cybersecurity. Best-in-class health care delivery organizations are deploying specialized security solutions built for the unique workflows and business requirements of hospitals. Generic IoT security solutions are no longer sufficient in dealing with the growing threats that hospitals face.
SWEET: Progressive health delivery organizations (HDOs) are implementing unified governance, risk management and compliance programs that leverage new assessment technologies to build security profiles for devices that ensure they are securely deployed, as well as security monitoring to ensure they can respond as new threats are found.
Q: What are some measures biomeds can use to enhance a facility’s cybersecurity measures?
REKIK: Biomed can incorporate security into the life cycle management of medical devices. They can document OS and network attributes of their connected medical devices and make sure that this data is always accurate. They can also partner with information security to stay up to date with current threats and vulnerabilities. They can mitigate security vulnerabilities on medical devices by installing the security update or implementing compensating controls if the medical device manufacturer hasn’t released the fix yet.
LANGER: As stated, biomed’s involvement is critical, as its professionals are directly responsible for the maintenance and management of connected devices. Often, that includes patching for newly published vulnerabilities which requires the ability to immediately correlate any threat to potentially affected devices. Risk takes many forms. Biomed’s increasing involvement in both mitigation and remediation is inevitable. Modern solutions provide the required visibility. IT/IS security will increasingly depend on biomeds as front-line actors to any practicable solution.
LERMAN: We mentioned collaboration already. Champion the endorsement of a health care IoT security solution that can integrate with your asset management and workflows, provide deep visibility and up-to-date inventory of networked clinical assets, and perform an ongoing risk assessment on each and every device. Such a system can ensure you stay up to date and are aware of new patches, vulnerabilities and recalls, and know when your devices “misbehave.”
Oranski: Have a solution that will allow you to check that your medical devices are patched. Also, engage IT/IS teams to make sure:
SWEET: The foundation of securing operational technology (OT) devices – like medical devices and building systems – is having an accurate inventory, complete with what devices are on the network, their IP addresses, their operating systems, patch versions, etc. If you don’t know what you have and where it is, you can’t secure it. Biomeds should also validate these configuration items when performing an initial inspection or PM on a device. Keep in mind that networked devices are not the only devices at risk. Any device that stores or transmits patient data poses a risk, and if it’s mobile – like a portable ultrasound – it should be identified in your CMMS as such, and the biomed department needs to make sure ePHI is not stored on the device or that it is encrypted and/or tethered to a cart, so it can’t easily walk out of the facility.
Q: When it comes to older equipment, what steps can be taken to prevent cybersecurity issues?
REKIK: We need to start at the procurement level since the development life cycle of a medical device is typically five years, it often means that by the time it’s being placed in the market, it’s already outdated. HTM can control this issue by making sure that medical devices with the most up to date OS are being purchased as well as negotiating an upgrade up front. They can plan for the capital replacement of equipment without OS support and collaborate with IT security to identify the appropriate compensating controls for these devices which can include isolation and network segmentation.
LANGER: As mentioned above, “patching” for cybersecurity purposes represents more than having the visibility required to quickly act on a threat. Obviously, the proactive mitigation of risk requires a multi-dimensional view of the entire landscape. For example, while access to utilization metrics is clearly valuable information for SCM professionals, for biomed, it enables far more intelligent, proactive preventive maintenance scheduling. Biomed has been given the responsibility of device maintenance. Soon, they will have true responsibility for device management.
LERMAN: Keeping up to date with vendor and FDA security advisories is important, but not always easy. Moreover – when a device is affected by known vulnerabilities, or runs unsupported software, more often than not there is no patch available or even a clear upgrade path. Implementing network policies is the only viable method to effectively mitigate the risk, by reducing the attack surface by 99%. A health care IoT security solution such as the one mentioned above can make all of that feasible.
Oranski: Have a credible system that can help you track and manage the life cycle of all devices. This includes devices that have FDA recalls on them and end of life cycle devices. Use a technology solution that monitors device analytics to determine asset usage. Retire old equipment that usually has a higher risk. Look for devices with low usability and high risk – these are the first ones to be replaced.
SWEET: Older devices present real challenges due to unsupported software components. Technologies that allow for the analysis and generation of a detailed SBOM are essential to profiling these risks to prioritize device modernization plans. External mitigating controls like network micro-segmentation are also effective at mitigating risks that cannot be addressed due to manufacturer updates no longer being available.
Q: What training/education do clinicians need to prevent cybersecurity attacks?
REKIK: It has been published by multiple studies that user behavior represents a large percentage of threats HDOs face. It’s paramount that clinicians are given tailored training in addition to the training provided to all hospital staff. It’s not enough that they do not click on the phishing link, they need to be trained on specific security practices such as making sure that they change default credentials and not plug USBs into medical devices without scanning them for malware.
LANGER: Not just more details surrounding the number and frequency of successful attacks; or, more generalities about potential financial and reputation risks; and not just the facts surrounding the FDA’s changed guidance or the Joint Commission’s latest edicts; or, how failure to comply is going to result in reimbursement penalties. Clinicians must understand the risks from a patient safety perspective. On a daily basis, clinicians are working with patient-connected devices that are designed to be controlled remotely. That point needs to be communicated more effectively – with real world examples of how easily these devices can be compromised.
LERMAN: Awareness training for clinicians should cover the risks posed to network connected devices, from your smartphone and laptop to – yes – an IV pump. Understanding that targeted attacks are real, and that at the same time your assets are just as likely to be infected by malware because someone browsed to the wrong website from a tablet in another ward. Use secure passwords and do not write them on post-it notes or share with others. Know how to identify phishing emails, suspicious links and avoid browsing the Internet from medical workstations.
Oranski: The growing number of instances of attacks underlines the importance of regularly training staff in basic cybersecurity awareness. All it takes is one click on a phishing email link to open the entire health care network to attack. We recommend 2 to 3 staff-wide trainings sessions a year around cybersecurity in order to keep clinical engineers abreast of current threats and protection practices. Another important aspect is to include cyber hygiene and device-specific dos and don’ts into staff-wide medical device SOP training. We also have seen some of our customers engage in staff-wide training to educate all stakeholders on the cybersecurity technology deployed.
SWEET: Most hospitals should have a cybersecurity education program for their clinicians that explains why it’s important for devices that store or transmit ePHI to be password protected and/or encrypted and thus should go through a proper on-boarding process before they’re put into use. They also need to be educated about accessing the network from a medical device, like through Internet Explorer, to limit risk exposure. For HTM departments, organizations like AAMI have excellent cybersecurity guides and training. There also are a lot of good online networking and security training courses. The best training is the most practical. HTM departments need to look to these guides and then work with your security team to learn, hands-on, about best practices.
Q: What else do you think TechNation readers need to know about cybersecurity?
REKIK: Medical device manufacturers face major challenges when it comes to securing medical devices. They need to comply with multiple different regulations when designing medical devices they want to sell in different countries. In addition, HDOs deploy different practices when securing medical devices which can add significant delay to the development life cycle since manufacturers need to test for every scenario. It’s important that medical device manufacturers and HDOs work together in order for the medical device security field to advance.
LANGER: The current IoT cybersecurity solution market, especially in health care, is white hot. The proliferation of EMRs and ever-fragmenting models of care delivery will continue to drive the market. As a result, risk capital has poured into the space and start-up companies that address the problem are abundant. Because these vendors share an exceptionally strong business case, their sales narratives are often strikingly similar. This has made it difficult for health system solution evaluators to structure effective competitive trials. Among other reasons, this is why cross functional evaluation teams are essential, as the value propositions of potential vendors are more easily differentiated when a diverse set of stakeholders are doing the vetting. IoT cybersecurity cannot be treated as a “check the box” matter. It’s mission critical.
LERMAN: Your home laptop crashing due to malware is an inconvenience. A credit bureau experiencing a data breach can put you at risk of identity theft. A CT or LINAC emitting dangerous amounts of radiation because a workstation that controls them is overloaded by a cryptocurrency miner can result in a negative patient outcome. While cybersecurity is an ever-changing landscape, the inherent weaknesses of hospital networks are not going away anytime soon.
Oranski: That is a loaded question! Readers should understand that the landscape is changing rapidly and all health care delivery organizations must begin planning their cyber strategy in a prioritized, phased approach. Partner with vendors that are focused on the health care market and can help answer key questions such as:
SWEET: Cybersecurity is dauntingly complex, and many organizations and HDO staff find the jargon and acronyms bewildering. A world-class security practice is focused on multi-tiered and effective solutions. Build a trusted inventory, assess new models before purchasing, assess the most critical and most numerous existing models in your fleet, then implement a regimen of thoughtful and thorough practices to secure your devices. Cybersecurity is about best practices and securing your patient care is a journey, not a destination.
© 2020, TechNation Magazine. Site designed by MD Publishing, Inc.