Cybersecurity remains an important aspect of the work healthcare technology management (HTM) professionals perform. Ransomware attacks are just one way cyber criminals are targeting health care facilities around the world. TechNation invited experts from throughout the HTM landscape to contribute their knowledge and insights on this hot topic in this month’s roundtable article.
Participants in the article are Medigate Director of Business Development Thomas Finn, Accruent Vice President of Healthcare Strategy Al Gresch, Cynerio CEO and Co-Founder Leon Lerman, Asimily CEO Shankar Somasundaram, CyberMDX Chief Technology Officer Motti Sorani, Ordr Director of Healthcare Product Management Benjamin Stock and U.S. Department of Veterans Affairs Biomedical Engineer Connor Walsh, CISSP.
Q: What are the basics HTM professionals need to know regarding cybersecurity?
Finn: Improvements to the cybersecurity posture of any health care enterprise require HTM’s active involvement, especially in clinical settings. Good security provisioning cannot occur in traditional HIT vacuums. Front-line security-enlightened workflows must be executed in concert with back-room monitoring capabilities. Asset remediation and mitigation workflows, as well as maintenance and procurement operations, should be coordinated cross-functionally throughout asset life cycles. Getting staff together in times of emergency is not sustainable practice.
Gresch: First, cybersecurity threats are here to stay, and as the number of connected devices increases every year, so will the opportunities for attacks. Our devices now are software driven, and all software contains certain vulnerabilities that provide hackers the opportunity to gain access into the device and the network the device is connected to. I am baffled by the number of HTM departments who still haven’t taken a stronger role in cyber risk assessment and mitigation. This is every bit as important, perhaps even more so, than any of the other work we do to keep our patients and staff safe.
Lerman: The cybersecurity basics for every HTM professional should include keeping track of connected medical devices with outdated OS/firmware and which devices can be patched and updated. This means keeping a close eye on vendor-issued patches and device utilization patterns. HTM professionals must also foster close alignment with the IT/security team to pinpoint when cybersecurity procedures and maintenance can safely be administered on devices without affecting patient outcomes.
Somasundaram: There are a few basic things to know about cybersecurity.
Good cybersecurity is both a combination of the right practices to follow in your environment and technology. For example, if you are plugging in unscanned external drives into your devices, you might infect your device irrespective of how good your technology is. So, ensure you are following good cyber practices and processes, as well as adopting the right technology.
There is no magic bullet to cybersecurity. Everything makes your security posture better, so this is a continuous improvement process.
Cybersecurity will not change overnight. Educate your teams and your management that cybersecurity improvements will need investments and efforts over time to minimize the risk in the environment.
Sorani: The first thing to realize is that cybersecurity is not only a technical imperative, but also a business one. Poor cybersecurity has the potential to impact patient safety, data security and financial and reputational stability. It needs to be viewed as a major factor in each part of the medical device life cycle: from pre-purchase, to procurement, device onboarding process, ongoing risk management, maintenance, and device decommission – proper cybersecurity protocols need to be taken into account to protect medical institutions from both potential patient care issues as well as the financial implications of ransomware and other attacks.
Stock: Outside of basic knowledge of IT systems and hardware, a good understanding of networking, including the basics of NAC and firewall management, would be a great start. In addition, knowledge of risk management strategies, the NIST 800-53 security framework and CIS benchmarks will go a long way.
Walsh: The CIA triad is the foundation of all cybersecurity and its fundamental concepts should be understood by all HTM professionals. Applying these ideologies to all medical system procurement, installation and sustainment will ensure unnecessary risk is not introduced into medical facilities.
Q: What are the latest developments in cybersecurity?
Finn: Actionable levels of visibility and delivered automation are not only eliminating outdated manual routines but also driving workflow convergence across HIT and HTM. The resulting operational efficiencies have elevated the profile of HIT and HTM staff by strengthening their ROI missions to the enterprise. Specific new developments include:
- Automation of network policy baselines
- Automation of remediation instruction sets
- Identity-based scanning (“scanning orchestration”)
- Hybrid MSSP models
Gresch: The increase in the sophistication of hackers, which have mostly moved from individuals motivated by testing their own abilities to the level of terrorism and organized crime. These groups are more financially and politically driven. Not only can they more easily identify the pathways into the network and/or devices, but they have also figured out ways to thwart incident response and recovery efforts. This further increases their opportunity to hold a health care system hostage and extort money in the form of ransomware.
Lerman: As the need for medical device security has become clear, health care-specific cybersecurity technologies developed to ensure service continuity, data integrity and patient safety have broken into the market. Today, medical device and health care IoT cybersecurity is a growing market niche with technologies that evolve to meet the challenges posed by advances in medical devices and cyber threats.
Somasundaram: These are some of the latest developments in cybersecurity
There have been a number of solutions which have developed including Asimily for inventory, cybersecurity and operational management for medical devices.
In addition, some solutions also go deeper into aspects like vulnerability management to better prioritize and mitigate vulnerabilities which otherwise would require extensive and expensive segmentation or blocking.
And finally, a solution to automatically assess and pre-emptively mitigate risk of medical devices at procurement has emerged allowing health systems to incorporate security into the procurement of the device.
Sorani: Securing connected medical devices is a challenging task, due to the myriad of device types and vendors, unique protocols and manual actions, which are resource intensive along the life cycle. Consider that the average hospital has thousands of devices they need to be secure, and the scale of the task becomes clear. I would say that latest developments are centered on helping healthcare delivery organizations (HDOs) keep pace with the growing scale of their networks and connected devices. New technologies now exist to automate some or all of the various tasks, including creating the inventory, assessing the cyber risk, applying mitigation and remediations and getting compliance alignment reports. These technologies enable a proactive approach to secure medical devices.
Stock: Keeping an inventory of devices has been something HTM professionals have been doing for years, but knowing what they are doing and who they are talking to is relatively new. IT has had active scanning tools to provide this information for many years, but it has only been the last three years or so that we could passively get this information for medical devices. With this information, profiles can be built to monitor and protect devices previously left wide open or with minimal controls.
Walsh: The FDA just took a major step forward in prioritizing medical device cybersecurity by appointing the first ever director of medical device cybersecurity. Additionally, new developments in the Solarwinds Sunburst case are popping up, as most recently the North American Electric Reliability Corp. (NERC) stated that about 25% of all electric utilities on the North American power grid downloaded the affected software. The exploit continues to appear as one of the worst cyber-breaches in U.S. history.
Q: What are some measures biomeds can use to enhance a facility’s cybersecurity measures?
Finn: Most fundamentally, biomed leadership should insist that the tools used by their staff members and the tools used by their peers in HIT share the same data. A common, shareable foundation is key. For example, that HIT professionals would be using a CMDB where the underlying data are not synced with the CMMS used by biomed is antithetical to good security practice. The efficiencies required to manage the explosive growth in connected medicine cannot be achieved until a single source of truth (a common data foundation) is well-orchestrated and synced across the asset management and security ecosystem.
Gresch: Having a cybersecurity profile and risk assessment on every connected device in your inventory is key. MDS2 information is readily available and, with most modern CMMSs, can be easily consumed from a reliable content management platform. Partner with your IT group to adopt any of a myriad of network monitoring tools, which can also likely be integrated to your CMMS. Push to add a cybersecurity position to your team, as the risks and associated workloads are only going to increase.
Lerman: Close the gap between siloed HTM and IT/security departments. It’s imperative teams distribute responsibility for medical device security between them. This means sharing their expertise in health care industry intelligence to ensure IT/security teams understand the specific behaviors of medical devices and their criticality within the clinical workflow. Sharing this knowledge is critical to building and maintaining operationally safe security programs for any health care organization.
Somasundaram: These are some measures biomeds can tale to enhance cybersecurity:
- Assess cyber-risks and incorporate it into your process right at procurement
- Understand inventory of your devices
- Prioritize vulnerabilities and mitigate their risks
- Continuously monitor your environment for risks
- Set policies so you are aware when devices are not following expected guidelines
Sorani: One way biomeds can enhance the facility’s cybersecurity is by understanding the clinical context of devices. Knowing whether devices carry protected health information (PHI) and understanding what level of criticality the device possesses with respect to patient safety and care continuity is essential in prioritizing response to issues being detected. Some of this domain expertise is augmented by MDS2 documents, and some overlap other processes related to equipment maintenance programs. The other important measure biomeds can implement is ensuring they have a systematic approach to patching, with the help of the vendors. With new vulnerabilities discovered daily, cybersecurity for any device, but especially medical devices is not a “set it and forget it” task, and instead must be monitored and updated constantly. Having protocols in place and good relationships with vendors to help with patching is an important building block in any cybersecurity framework.
Stock: One of the easiest and most overlooked measures to help an organization’s cybersecurity resilience is physical security. The likelihood of a portable medical device walking out the front door is significantly higher than a data breach and much easier to prevent. Implementing a process to identify, secure and limit the PHI on these portable devices is a small lift with big rewards.
Walsh: By relying on the concepts of CIA, biomeds can use due diligence to ensure they are accurately identifying risk of new/existing medical systems during procurement, installation and sustainment. Additionally, they can exercise due care by ensuring any identified risk is properly documented and mitigated in a timely fashion.
Q: When it comes to older equipment, what steps can be taken to prevent cybersecurity issues?
Finn: Legacy equipment is going to be managed based on time-based maintenance interventions and compensating security controls. Good location data, network status and knowledge of how assets are being utilized (which are relevant examples of the visibility data now available) can be used to accelerate/dispatch more appropriate interventions, extend life cycles and inform decommissioning processes. Assuming physical inventory processes have been replaced by real-time digital processes, the detailed security posture of all connected assets should be available, and it should be inclusive of an audit trail of any/all compensating controls.
Gresch: Understand the vulnerabilities and risks associated with that equipment, and be proactive in working with the manufacturer and your IT department to mitigate the risks as much as possible. Going forward, leverage MDS2 data to know the risks before you purchase.
Lerman: Closely monitor medical device inventory and employ an AI-powered asset management solution that can automatically identify devices with outdated OS/firmware and any suspicious behaviors. This includes monitoring and identifying unnecessary or unauthorized communications with third parties (including vendors) or other in-network devices (e.g. an IV pump shouldn’t be able to communicate with an MRI machine). These measures will reduce the attack surface and prevent threat actors from being able to connect with and infect medical devices.
Somasundaram: One key point to understand with older medical devices is that just because they are older or run an outdated operating system does not necessarily put them at risk. There might be some older devices which might be less at risk than some of the newer devices. So, with older medical devices, analyze for which ones the vulnerabilities are critical in your environment. Then for those vulnerabilities mitigate the risks by applying workarounds.
Sorani: Older equipment might run unpatchable software, including end-of-life or deprecated operating systems. Without the updates and support from the OS provider, they often lack essential cybersecurity controls such as an anti-virus, credential management, encryption, proper authentication, and authorization on one side, and tend to gain critical vulnerabilities over time on the other side. In many cases network mitigation, on the internal network and on the perimeter, is the only feasible solution to control the risk. So, the vulnerabilities are still in there, but the likelihood of them being exploited is significantly reduced. The other key would be to ensure you have proper segmentation. Because you often cannot replace the older operating systems, being able to segment or isolate a device, or group of devices, in the case of a breach is critical. This will allow you to prevent the attacker from moving laterally within the network and will limit the potential damage and downtime for the network.
Stock: Due to the volume of older equipment with unsupported operating systems found in the health care environment, it is essential to do risk assessments to identify those devices that are the most vulnerable. After establishing a risk tolerance level, any devices over the acceptable risk level should be protected by implementing compensating controls such as NAC or isolated with a firewall.
Walsh: This is a tough question to answer, as each medical system is unique and determining what controls to apply to mitigate the risk would require in-depth analysis. However, generally speaking, when it comes to older equipment, accurately identifying and inventorying this equipment is the first step. This will give visibility and help plan for future upgrades. If the system holds PHI/PII, ensuring it is located/stored somewhere not accessible to public access. VLAN segmentation and isolation from the production hospital network is also necessary. Confirming that any data on the system is properly backed up in case of equipment failure is another step that can be taken.
Q: What training/education do clinicians need to prevent cybersecurity attacks?
Finn: Value-based care is driving connected medicine. And connected medicine is driving a revolution in care delivery. Care protocols will continue to fragment, and cybersecurity controls will ultimately rationalize around protecting the connected patient. That means, both patient-facing and non-patient-facing health care professionals are going to have to stay on the same “security page.” Continuing education is essential, as all workflows are going to be impacted (directly or indirectly).
Gresch: Incidents of clinical staff using medical device workstations for purposes other than their intended use has represented a huge risk. Getting them to understand the implications of that activity will help mitigate those risks. The use of portable USB devices also is a major source of risk. Again, training staff on the risks this activity represents can reduce the risk.
Lerman: Training on cybersecurity best practices, plus an in-depth explanation of how cyberattacks like ransomware can affect medical device functionality and disrupt clinical workflow, ultimately leading to negative patient outcomes. Cybersecurity training should also include patch management and how to best utilize MDS2 forms. It’s also best for training to include a high-level explanation of network security to provide insight into medical device connectivity and devices’ relationship with the threat landscape.
Somasundaram: Clinicians need two levels of training.
Training to understand how to practice good cyber hygiene. For example: being careful with USB sticks of external hard drives, not opening email attachments from unknown sources, not sharing passwords on social platforms, etc. Many times, attacks stem from human errors and knowing what not to do is important to prevent cybersecurity attacks for the organization.
Training to understand basic terminology in cybersecurity and networking. E.g.: Anomaly versus Vulnerability, What is a firewall?, etc. Clinicians don’t need to know the details but having a broad understanding of cybersecurity will make them aware of events around them and help them understand and appreciate the actions needed or taken to protect medical devices.
Sorani: Training is key in promoting the cybersecurity culture and improving the bottom-line outcomes for hospitals. For the cybersecurity professionals within the hospital, it starts with getting familiar with the threat landscape and the common cyber risks found in medical devices. It continues with learning the industry’s standards and best practices for risk management including common security controls, possible remediation and mitigation options, and corresponding processes. Preparing for a security incident is important, including understanding how incidents are detected, managed and the role of the HTM professional in this process.
Stock: Clinicians should be required to take annual educational sessions to help them identify phishing and malicious emails. They should also have a clear understanding of PHI and PII and the proper handling of both.
Walsh: In any organization, employees are considered the “weakest link” when it comes to cyberbreaches. Due to this fact, security awareness training is extremely important for clinicians. Phishing campaigns are on the rise, and clinicians that can accurately identify these malicious emails/phone calls/texts is essential. Additionally, during EOC rounds, ensuring they are aware of any HTM department’s developed cybersecurity policy is important, such as vendor escort/access, USB scanning, hard drive removal and preventative maintenance policies.
Q: What else do you think TechNation readers need to know about cybersecurity?
Finn: We tend to view cybersecurity through the lens of traditional bad actor attacks – and this is wrong. We need to expand our perspective. While we must learn to protect ourselves against the headline grabbing “lightning strikes” (e.g., ransomware attack, data theft, etc.), there are other pressing concerns that should compel our attention. For example, the operational inefficiencies born of poor collaboration/interoperability between HIT, HTM and finance must be treated as enterprise risks, as they are far more prevalent and no less dangerous to patients. Connected medicine is driving a revolution in care delivery. The underlying management processes can’t just try to keep up – they must get ahead.
Gresch: Expect that for the remainder of 2021 and into 2022, cyber-attacks are going to increase. Unfortunately, the bad guys haven’t been sleeping through this pandemic. In fact, a weakened workforce has only served to increase their opportunities.
Lerman: Cybersecurity can’t be achieved by one person or by one, simple IT security solution. It takes coordination between team members and a healthy combination of AI and human health care industry intelligence to achieve real and lasting cybersecurity in health care environments that ensures operational continuity, data integrity and patient safety.
Somasundaram: You should not think of cybersecurity as a three-month or six-month problem. Cyber-attacks are evolving and are here to stay. So, whether you are looking for a solution or implementing a new process or hiring someone to manage cybersecurity, take a longer-term view on how this would enable you to better manage cybersecurity. E.g.: If choosing a solution, ask if the vendor has a roadmap and is continuing to improve its capabilities. When implementing a process, ask if the process is going to scale as more needs arise. When hiring a person, ask if the person is going to be able to take more responsibility. At the end of the day, a long-term view is critical.
Sorani: Cybersecurity in health care is a collaborative effort across the HTM, security, compliance and IT teams – with the support and understanding of management. Even if your direct title isn’t “cybersecurity professional” you still play a major role in the process. IT, security and biomed teams must work together to ensure that the right devices are purchased, that they are on boarded correctly, patched in a timely manner when needed and ultimately that proper cybersecurity practices are followed during the lifetime of the device. Cybersecurity teams can establish all the guidelines they want, but without the participation of the other actors within the hospital they will be fighting an uphill battle.
Stock: With the vast number of vulnerable devices and external threats facing a modern health care organization, cybersecurity can seem like an impossible task. It is important to have a risk management strategy that considers the vulnerabilities and threats and the likelihood of exploitation. Identifying the highest risks and tackling them first creates a more manageable situation and makes the most significant impact on your overall security profile.
Walsh: Last year alone, there was over a 50% increase in cybersecurity breaches against medical facilities. Threat actors are targeting hospitals more and more, and cybersecurity is going to continue to play a vital role in the average HTM professional’s job function. Taking the time to self-educate on basic principles of cybersecurity will go a long way in protecting each medical facility.