Cybersecurity continues to be a worldwide concern, especially in health care. Attacks continue to ramp up and at least one report predicts an increase in “big game” targets in the future. Health care facilities are major targets for a variety of reasons. One of those reasons is the amount of information patients provide to medical facilities that can be sold on the dark web. Cyber goons also profit via ransomware attacks on hospitals and health care systems.
TechNation magazine reached out to several cybersecurity firms and experts for information and advice. Participants in this month’s Roundtable article include Nuvolo OT Security Executive Ty Greenhalgh, HCISPP; Accruent Vice President of Healthcare Strategy Al Gresch; Cynerio Cybersecurity Evangelist Chad Holmes; Medigate Co-Founder and CEO Jonathan Langer; CyberMDX Chief Technology Officer Motti Sorani; and Cylera Chief Security Strategist Richard Staynings.
Q: What are the basics HTM professionals need to know regarding cybersecurity?
Greenhalgh: Historically, medical devices have not been designed with network security in mind. Therefore, they are at best like open doors and windows allowing easy access to patient data on the network, and at worst vulnerable to device manipulation which could impact patient outcomes. Due to unique engineering and the criticality of a clinical environment, the cybersecurity of medical devices cannot be managed using the same approach and tools used for traditional information technology. This combined with volume of network connected devices, the limited bandwidth of HTM and the cyber inexperience of most HTM personnel requires health delivery organizations (HDO) to implement new interdepartmental processes that are efficient, effective and scalable. This will require change and growth, which is always painful.
Gresch: First is to get tight with your IT security team if you haven’t already. Working hand-in-hand with them, you can develop a very comprehensive vulnerability management plan. You will need to capture all pertinent security information in your CMMS for all networked devices, such as operating system, software version, IP and MAC addresses, any known vulnerabilities, and whether those risks are either remediated or have been deemed a low enough risk to be acceptable.
Holmes: The recent increase in health care cyber attacks is driven by two things − greed and opportunity. Hacking collectives are well organized, financially driven businesses searching for the most profitable victims. Health care environments are often flatter, less protected and easier to breach than other industries. HTM professionals should follow the lead of other industries, both in security practices and collaborative style, which has resulted in better defenses and fewer successful attacks.
Langer: While it is not simple, the basics of cybersecurity can be distilled into three main categories − people, processes and technology. No single factor can solve the challenges; rather it is the combination of extraordinary people who work with effective processes and use exceptional technology that helps keep the hospital safe and operational. For an HTM professional, it is helpful to realize that the devices they work with were not designed with security in mind and they can quickly become a source of breach to the hospital if they are not managed carefully and correctly. The HTM professionals can and should ally themselves with their security team!
Sorani: Health care is one of the most targeted sectors for cyber-attacks. While many hospitals now have dedicated security teams accountable for mitigating and remediating risk, the responsibility for cybersecurity extends to nearly everyone on the staff. HTM professionals are front and center – they are responsible for the medical device life cycle, including pre-purchase assessments, procurement, the onboarding process, ongoing risk management, maintenance and decommission. Throughout this life cycle, proper cybersecurity protocols should be applied and executed to protect health care organizations from patient care issues and safety, data security, financial loss and reputational impact that result from ransomware or other cyber-attacks.
Staynings: Cybersecurity is everyone’s concern, and everyone’s responsibility just as patient safety should be. However medical, and other health care IoT devices, are often highly vulnerable to cyberattack. Yet, HTMs are not currently trained to look at devices for indicators of compromise or to understand how these may introduce patient safety risks. With focused security awareness training HTM professionals can be the first line of defense, yet with current training many are unprepared.
Q: What is the first thing a health care facility (HTM department) should do when a cyberattack happens?
Greenhalgh: Assuming the organization has already mobilized the cybersecurity response team and identified the type of attack, the breach needs to be contained. The team should promptly disconnect the affected network or devices from the Internet, disable all remote access and change passwords. Completely denying the attackers access to your system is critical. Given the unique nature of health care, it is not always plausible to simply unplug and disconnect. New asset discovery and security tools can assist in detecting security events and providing a more focused remediation like zero trust architecture or quarantining.
Gresch: First and foremost, you should ensure you have a plan in place before a cyberattack happens. The quicker you can identify and isolate a compromised device or group of devices, the more you can limit the impact. Then work with your IT security team and your vendor to begin remediation efforts that should already be outlined in your incident response plan.
Holmes: In an ideal world health care facilities would have printed copies of a well-defined incident response (IR) plan to follow during an attack. If that sounds aspirational, find time today to begin the process of creating one. More practically, patient safety must always be the top concern. Organization leadership should focus efforts on ensuring devices remain operational and highly monitored by caregivers, while IT and related staff work to identify, isolate and eventually eliminate the attack.
Langer: First, the hospital is always under attack and the bad guys only need to be right once to cause problems! When/if a breach does occur, the goal is containment and remediation as fast as possible. Most organizations will run “table-top” exercises to prepare for these events, and HTM should be involved in them. So, when/if the breach occurs, HTM can refer to their training, bring out the playbook and execute it. If the HTM team notices anomalous behaviors or issues with their devices, they should sound the alarm immediately to initiate the containment and remediation process.
Sorani: The HTM department’s involvement in cyberattacks should start before an attack even happens, by ingesting their expertise into the response plans. This includes providing the knowledge and answers to questions such as:
- When a certain kind of medical device is being attacked, what’s the potential impact to patient safety or care delivery?
- Can we safely disconnect a device to contain a cyberattack? What will be the implications?
- What devices are impacted say a vendor cloud service is under attack?
Ideally these answers are ready to be used upon an incident, yet assuming not every scenario is covered, in case of a cyberattack, an HTM professional should be available to provide the answers and take part in the containment process.
Staynings: First of all, don’t panic! Health care workers should fall back upon the training they have received in security incident response, disaster recovery and business continuity planning. All staff should receive this training and participate in tabletop exercises annually while all managers and above, including the CEO, should participate in quarterly exercises. Regularly updated runbooks will be critical so staff know the what, when, how and who should be engaged in response to any cyberattack. Providers that do not invest in adequate planning and preparation for security incidents are asking for trouble and may not be in business after a devastating attack. Patient safety, morbidity and mortality may also be negatively impacted if a provider has not made adequate preparations including staff training.
Q: Can you tell us about one technology, product or service biomeds can use to help protect a facility?
Greenhalgh: There is a common axiom in cybersecurity: “You can’t protect what you can’t see.” Visibility is crucial. Security orchestration and automated response (SOAR) can create a single source of truth for all medical devices, integrate the cyber vulnerabilities for each device and automate the remediation within the normal operations of an HTM department. This technology increases the value of the existing CMMS through data enrichment, integrates cybersecurity maintenance work orders with step-by-step instructions for remediation and automates processes like onboarding, risk management, manufacturer inquiry, security event notification, combined PM and security work orders, etc. Having an accurate inventory with device-level detail on vulnerabilities with remediation practices and an automated workflow is a systematic approach for operationalizing cybersecurity for medical devices.
Gresch: There are a vast number of network monitoring solutions available that will establish normal network operating profiles for the networked devices in your inventory. Once a breach is identified, getting a notification through an interface to your CMMS can quickly put you on a path to remediation. Unfortunately, less than half of U.S. hospitals employ such technology today.
Holmes: Cynerio’s IoT security platform provides a wealth of information to better protect the thousands of devices in a typical hospital environment. From identifying dormant attacks waiting to be activated to generating automated rules that greatly reduce risk, Cynerio helps guide biomeds, clinical engineers, IT, network and many other team members on a clear risk reduction path.
Langer: The Medigate platform allows HTM to maintain an accurate device inventory by comparing the CMMS to the devices transmitting on the network. With a consistently updated database, they can better manage known vulnerabilities and patch the most critical devices, reducing the overall attack surface.
Sorani: Biomeds can enhance the facility’s cybersecurity by leveraging a solution that provides a layered approach to cybersecurity, protecting each individual device and driving remediation and mitigation directly on your medical and IoT assets as well as the broader network. A solution like this should offer a prioritized list of the devices most at risk, then allow security teams to apply actions to remediate or mitigate the associated risks and enable IT to authorize and manage traffic to and from the devices using allow-list or blocklist policies.
Staynings: The complexity and number of biomedical devices in hospitals has massively increased over the past decade yet most providers have at best an inaccurate count of connected devices and little to no understanding of the risks each device and device type my introduce to the health care network, to HIT systems and to patient safety. This is why it is critical to implement tools to manage the wide array of connected unmanaged assets and especially those claimed to be managed by vendors. This is so risks can be accurately assessed, remediated by patching/reconfigured where possible, or segmented where no immediate remediation is possible. This needs to be intelligent and automated unless hospitals are prepared to hire hundreds of additional BMETs and other staff.
Q: When it comes to older equipment, what steps can be taken to prevent cybersecurity issues?
Greenhalgh: “Legacy” technologies are those devices, IT systems, programs and applications, and other technologies present in health care environments that cannot be reasonably protected against current cybersecurity threats. Many legacy devices may present risks that cannot be sufficiently mitigated (e.g., patched or otherwise updated) to address cybersecurity threats, as current best practices recommend. Others contain insufficient, poor or no security controls. They may have contained state-of-the-art security controls at the time they were deployed but, because of the long lifetimes of health care technologies, are now faced with unanticipated threats against which they cannot defend. HDOs should develop a security lifecycle plan (SLP) to include: 1) Identifying devices 2) Tracking and managing inventory 3) Planning device replacement 4) Establishing risk remediation processes 5) Planning risk mitigation strategies at each life cycle phase.
Gresch: Understand what the vulnerabilities are and whether the risks can be mitigated or minimized through configuration or patches. Incorporate cybersecurity risk assessments into your capital equipment replacement planning process and work toward replacing the devices that represent the greatest risk. I think there is enough recent evidence of the immense cost of cyberattacks to health care systems as to make this a much higher priority than it has been in the past.
Holmes: In many cases cybersecurity issues in older equipment can’t be fully remediated for one simple reason old equipment includes dozens of old components that are no longer supported by manufacturers. That said, reducing and preventing cybersecurity issues often doesn’t require full remediation. Implementing mitigating controls will typically provide an incredibly high level of security at a greatly reduced effort. At Cynerio, we’ve found great success in implementing mitigations with network segmentation, an approach that reduces both the likelihood and impact of attacks.
Langer: Knowing what devices are connecting to the network is always the first step to address cybersecurity issues. Often these older devices will be phased out, or in process of retirement, but will remain on the network. When a device that is listed as “retired” in the CMMS is still being used, that is a problem and should be immediately rectified. The key to solving this is accurate and active device data, so you can see if that “retired” device is still being used and act accordingly.
Sorani: Knowing whether older devices carry protected health information (PHI) and understanding what level of criticality the devices have with regards to patient safety and continuing care is essential to preventing cybersecurity issues. Biomedical teams should take a systematic approach to patching older devices with the help of the vendors. New vulnerabilities are being discovered daily and medical devices must be monitored and updated constantly. Having protocols in place and good relationships with vendors to help with patching is an important building block in any cybersecurity framework.
Staynings: Older equipment should be patched, and if vendors are not providing timely patches to security vulnerabilities in their devices within the expected, agreed, or a reasonable lifetime of a system, then that vendor should be struck from the approved vendor list for all future procurement. Where risks cannot be remediated, compensating security controls such as micro-segmentation should be implemented to safely allow the continued use of devices or systems without introducing risks to patients or the health care network. End of life systems should be retired, scrubbed of PHI and their components recycled.
Q: How important is collaboration between a facility’s different departments when it comes to cybersecurity?
Greenhalgh: Building on the concept of a security lifecycle plan (SLP), organizations need to integrate the operations of various stakeholders and departments into a streamlined process that provides accountability for the various stages along the life cycle. The integration should improve communications, cyber effectiveness and business mission efficiencies. E.g., data gathered during the device procurement and security evaluation is consolidated into the CMMS where risk assessment will drive security maintenance work orders within the same workflow as preventative maintenance work orders. These security work orders can then be assigned to HTM, IT or a service organization based on the complexity, control required, manufacturer, contract restrictions, device location, etc.
Gresch: Extremely important. Even in the company I now work for, there is mandatory cybersecurity training, so we all understand the risks and the things each of us needs to do to keep our systems safe. A fair number of vulnerabilities are created by staff doing things they shouldn’t be doing.
Holmes: Collaboration is critical, but needs to happen in a coordinated, efficient manner. It’s unlikely that IT professionals will ever become caregivers, so we can’t expect the caregivers to become cybersecurity professionals. Instead, one or two core teams (often IT security and networking) must provide clear, concise guidance in a productive and respectful way. This will help build a dynamic that is both productive and successful for years to come.
Langer: Cybersecurity is everyone’s responsibility, so HTM should contribute their unique skill sets to the overall organization’s plan to secure the hospital. The collaboration is vital, as each stakeholder will bring a different level of input and expertise to the table. I would argue that HTM professionals should work to insert themselves in the security working groups if they are not there already!
Sorani: Cybersecurity in health care is a collaborative effort across the HTM, security, compliance and IT teams with the support and understanding of management. Even if your direct title isn’t “cybersecurity professional” you still play a major role in the process. IT, security and biomed teams must work together to ensure that the right devices are purchased, that they are on boarded correctly, patched in a timely manner when needed and ultimately that proper cybersecurity practices are followed during the lifetime of the device. Cybersecurity teams can establish all the guidelines they want, but without the participation of the other actors within the hospital they will be fighting an uphill battle.
Staynings: Collaboration between all parts of the health delivery system is vital when it comes to effective cybersecurity. Cross-departmental working groups should be established so that when a security incident occurs, communication channels are well known and practiced, and staff are not left wondering who to contact and where responsibilities lie.
Q: What else do you think TechNation readers need to know about cybersecurity?
Greenhalgh: The need to protect the devices from cybersecurity events is increasing. CMS is considering the addition of a cybersecurity review of connected medical devices to their accreditation through expanded interpretive guidelines. But with the right tools and process redesign, HTM can be the front line in remediation of the vulnerabilities without being overwhelmed. New technologies are identifying the devices and operationalizing a step-by-step instruction set to apply the right control to the right device to reduce risk and increase compliance. The more complex IT related controls can be routed to network engineering, but the vast majority can be addressed by HTM and integrated into their daily operations and reporting.
Gresch: This is not an issue that is ever going to go away. The number of cyberattacks in health care has increased exponentially since the start of the pandemic. As most of us in health care were focused on getting the equipment and space allocations that were needed to take care of COVID-19 patients, the bad actors were very busy upping their game relative to the level of sophistication of attacks. There is enough money to be made in this realm where RaaS (Ransomware as a Service) is now an actual thing.
Holmes: The increase in ransomware and other attacks on health care providers is not accidental, nor is it as widespread in other industries. Attackers have found a target-rich environment motivated by failures that result in loss of lives, not just loss of dollars. Luckily, it’s not all doom and gloom. The root causes of many attacks are becoming more well known, and practical technologies like Cynerio that help prevent and react to attacks are readily available.
Langer: Ultimately, every hospital must be consistently right in its battle to remain secure, while the bad guys need to be right only once. The pressure to remain vigilant and protect the hospital is intense, and the security teams will usually welcome all the help they can get.
Sorani: To excel in cybersecurity, an organization needs to create a security-minded culture, that starts with the core values − quality care delivery, patient safety and patient data privacy. When security is connected to these values in a meaningful way, and everyone understands the connection, that’s the foundation on which you can grow the security-minded culture. Once the connection between security and these values is established, it is much easier to build the awareness to the issue, and have the employees consider themselves enablers of the security effort, rather than just consumers.
Staynings: Cybersecurity threats are growing at an exponential rate. Between 2019 and 2020, ransomware attacks rose by 62 percent worldwide, and by 158 percent in North America alone, according to SonicWall’s 2021 report. The FBI received nearly 2,500 ransomware complaints in 2020, up about 20 percent from 2019, according to the FBI’s annual Internet Crime Report. Cybersecurity should not be an afterthought or considered a cost center or price of doing business. Done right, cybersecurity enables new business and clinical services. It helps to drive revenue and customer/patient satisfaction. It enables new risky technologies that drive improvements to patient outcomes and reduce morbidity and mortality. Good cybersecurity is in everyone’s best interests.
