Cybersecurity continues to be an important and hot topic in health care, especially in the HTM community. TechNation quizzed some industry experts and educators about cybersecurity in search of information and tips to help readers.
Participating in the roundtable discussion on cybersecurity are Medigate Co-founder and CEO Jonathan Langer, Cynerio CEO and Founder Leon Lerman, Clearwater Chief Risk Officer and Senior Vice President of Professoinal Services Jon Moore, CyberMDX Vice President of Business Development Safi Oranski, Nuvolo Vice President of Product Marketing Ben Person, Texas State Technical College-Waco Associate Professor of Biomedical Equipment Technology Garrett Seeley and Extreme Networks Director of Healthcare Solutions Bob Zemke.
Q: What is the basic information biomeds need to start a cybersecurity program?
Langer: As purchasers of medical devices ultimately connecting to a hospital’s network, biomeds need to understand the risks associated with connecting to the network. They can’t go it alone anymore. They can’t be experts in understanding how to secure them, so biomeds need to coordinate with IT and IS (information security) teams from the outset, outlining requirements, clear roles and responsibilities for each group to take ownership of and drive forward. The uniqueness of the devices, the sheer volume of different types of devices and the complexity of clinical networks is daunting. The ability to find and secure devices, from MRIs to glucose meters and to alert a hospital of anomalies requires security that understands clinical networks.
Lerman: The most important thing is to have visibility into where the medical devices are and what their role is within medical workflows and clinical processes. This needs to include all the connections such as gateways, nurse stations, interface engine servers, terminal servers, printers and other middleware. There also needs to be special consideration regarding how critical the device is for patient care. For example, if an MRI machine services an entire region it needs more protection that one of several ultrasound machines. Keeping a physical inventory isn’t a one-time activity but something that needs to be done on an ongoing basis as devices are moved, retired or are added to the network.
Moore: If you want to create a cybersecurity program it should be built on a recognized framework and it should consider how security can be imbedded throughout the device lifecycle. A good place to start is with the following documents:
Framework for Improving Critical Infrastructure Cybersecurity Version 1.01 by the National Institute of Standards and Technology
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff
Postmarket Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff
Oranski: Biomedical professionals have a lot on their plate but in order to successfully achieve the many tasks they have, they must gain visibility into all of the devices on their network in order to embark on a cybersecurity journey. The first step is to automatically identify and categorize every connected device (you can’t protect what you don’t know you’ve got). This inventory will provide the foundation for an informed cybersecurity and enterprise risk management strategy.
Person: When considering implementing a cybersecurity program, biomeds should first get an understanding of the level of maturity of their asset inventory in their CMMS system. Most hospitals I speak with have challenges understanding what assets they have and also if they are connected to the network or not. Once biomeds have a trusted inventory in their CMMS and they know which devices are connected to their network they need to look at what asset details need to be tracked in order to understand the level of risk those devices pose from a cybersecurity perspective. For example, are those devices life sustaining, do they transmit or store ePHI and what is the risk to the hospital if those devices become unavailable or compromised. When it comes to cybersecurity there is no silver bullet and both process and technology need to be looked at in order to build a mature cybersecurity program for your medical devices.
Seeley: Cybersecurity is about risk management. The most basic tools are exactly what we use to mitigate risk to/for other equipment. We have to ask questions and log critical information to figure out the cyber risk of each item. Log things such as the operating system version and update history. Understand the connectivity of the device: Does it use a firewall? Does it need VPN access? Do you have to use remote desktop or can it be disabled? Does it use a web browser as an interface? If so, which one and what are the updates? Does it use Java, ASP, Flash or any other script languages? We need to study each piece of equipment to find its potential vulnerabilities. Most of this is persistently asking the right questions during capital equipment purchases or from the OEM.
Zemke: Before starting a cybersecurity program, it’s important to accept that all the connected medical devices in their environment most likely carry significant risk to the organization since they were implemented years before many of the current security risks existed. I would start with reading IEC 8000-1 Application of risk management for IT-networks incorporating medical devices. The report is a great first starting point and includes instructions on how to create an organizational framework for the identification, assessment, onboarding and remediation of connected medical devices.
Q: What are some technologies biomeds can use to enhance a facility’s cybersecurity measures?
Langer: Biomeds have the disadvantage of needing to secure the most complicated and life-altering devices connecting to the facility’s network. At the foundation is a need for a tool that digitizes and automates accurate and comprehensive inventorying of every device connected to the network. That is the baseline of what biomeds, security and IT need to implement the most sophisticated medical device security solution. The second component is clinically contextual anomaly detection capabilities in order the detect anomalies in device communications behaviors based on manufacturer protocols, not just network traffic. These enable rule-based, clinically driven security policies.
Lerman: Technology can be used to automatically identify medical devices and all the relevant information to create a physical map of the entire medical device ecosystem. Tools can be used to help assess and score each device’s relative risk level and to record recommended actions to protect patient data and safety. All the communications that go in and out of the medical device ecosystem can be recorded and then modeled using machine learning technology so that suspicious device behavior can be detected and the necessary corrective actions can be taken.
Moore: One of the first problems we encounter when helping organizations with security of medical devices is uncertainty about the number, type and location of devices. Traditional scanning for devices on networks is problematic as it might cause a device to fail. This has resulted in the invention of new passive scanning tools that use machine learning to identify unique devices on the network. These tools will also identify vulnerabilities in the medical devices, anomalous behavior and, if the right supporting technology is in place, segment suspect devices into separate networks to limit the damage they might cause. CyberMDX, Zingbox and Cloudpost are manufacturers of this type of technology.
Oranski: Biomed professionals must deploy cybersecurity tools that are specialized for health care. General security solutions aren’t sufficient; they were not built to understand the unique attributes, communication protocols and data workflows of a health care environment. Solutions that detect and prevent attacks from connected devices and clinical assets also benefit colleagues who work with biomed engineers.
Person: When considering tools that biomeds should look at there are two main areas of focus that should be considered. The first is making sure you have a modern CMMS system that has the ability to track the information needed for a cybersecurity program. Those details include if the device is Network Connected and the IP Address, MAC Address, Software Version, Firmware Version, Hostname, Common Platform Enumeration (CPE) operating system identity, ePHI details, Life Sustaining and many other details. The CMMS system should also have a cybersecurity module to enable automation from the external cybersecurity products that perform network discovery, vulnerability management, and automate notifications and work order creation in the event of a cybersecurity exploit event. CMMS systems like Nuvolo have those capabilities natively included and can integrate with modern medical device cybersecurity products like Asimily, Zingbox, Medigate, Ordr (CloudPost), CyberMDX and many others.
Seeley: There is no substitute for familiarity with networking. People say that the A+ and Network+ CompTIA exams are good, but they are a start. It is helpful to also understand material from Cisco CCENT
Zemke: Before I make suggestions on products, I want to stress that technology alone doesn’t solve our problems. Many organizations operate with a false sense of security – they’ve invested in security products but done so without an accompanying operational strategy. Tools are what I consider the enabling component of strong process and procedures. That being said, I find that it is critical to have the following capabilities: Network Access Control, Management, Analytics, and Location.
Q: How can biomeds protect patient information and prevent HIPAA violations?
Langer: Here again, providing the comprehensive and accurate device inventory while coordinating and working closely with IT and IS provides a holistic security approach from individual device to network security. It gives IT and IS the information they need to segment their networks, create policies based on the device’s function and quarantine or shut down those behaving outside of the policy parameters. Partnering device security with best-in-breed solutions enables a comprehensive approach to protecting patient information and remaining HIPAA compliant while mitigating attacks like ransomware and disruptions of service.
Lerman: Each device that stores patient data needs to be analyzed based on the possibility that sensitive information can be leaked. For instance, a Picture Archiving and Communication System (PACS) would have a high privacy ranking. Based on the ranking system those devices that need immediate attention can be identified and managed accordingly.
Moore: The first thing is to identify any systems and/or devices where electronic protected health information (ePHI) is created, received, transmitted and/or stored. Next, would be to conduct a risk analysis of those systems and devices. To the extent an identified risk exceeds your organization’s risk appetite, the risk should be treated. Treating risks consists of either avoiding, mitigating, transferring or accepting the risk. Avoiding the risk means to stop doing whatever is causing it. For example, decommissioning the system/device associated with the risk. Mitigating the risk is done by implementing compensating security controls like a configuration policy or software patch. Risk can be treated by transferring the risk typically through insurance however that only transfers the cost if the risk becomes a reality. An organization cannot transfer its compliance responsibility. In some cases, an organization might choose to accept a risk above its threshold. For example, perhaps the device causing the risk is particularly expensive to replace or can’t be replaced at all and there are insufficient compensating controls available. In that case, the organization should be sure to document its decision to accept the risk making sure that it is reasonable under the circumstances.
Oranski: Cybersecurity technology can be enlisted to pull double duty and not only protect against a ransomware attack, but also assist with compliance. Health care cybersecurity solutions are uniquely positioned to support HIPAA requirements, as AI-assisted network traffic monitoring can identify assets containing ePHI and confirm that ePHI stored on medical devices has not been tampered with as it moves across the network (ensuring integrity), while built-in threat prevention techniques ensure the availability of that information to authorized parties only (ensuring confidentiality).
Person: One of the first steps in protecting patient information and preventing HIPPA violations is knowing which medical devices contain, transmit and store HIPPA ePHI data. These devices should be easily identified in a CMMS so that additional precautions and protections can be implemented in managing these devices. Protections like data encryption, secure passwords when accessing the devices, firewalls, white listing along with training biomeds on how to handle devices that have ePHI. These devices should also have an automated notification and workflow as part of the decommissioning process for the device to ensure that device data is wiped before disposing of the equipment.
Seeley: Know how attacks occur. Preventable attacks involve compromising the email of an employee or theft of equipment. Change passwords to email often and watch out for vulnerable hardware.
Zemke: The IEC 8000-1 Application of risk management for IT-networks incorporating medical devices, referenced earlier, suggests that we audit all devices to understand if they transmit or store any patient data. Start fresh, and assume nothing went through a thorough assessment before. From there, install behavior monitoring with network analytics. This allows you to understand what is talking to the devices and where the data is flowing. I consider connected medical devices in a hospital to be the same as children in a sandbox. When you are watching them they behave (most of the time), but turn your back and they start misbehaving, talking to strangers and spreading viruses.
Q: When it comes to older equipment, what steps can be taken to prevent cybersecurity issues?
Langer: Older equipment is tricky. In addition to finding the equipment, outdated operating systems and software can leave a hospital vulnerable. A cybersecurity solution that finds and identifies all of the equipment connected to the network is the first step to preventing cybersecurity issues. If you don’t know what’s connected to the network, you have no idea what the vulnerabilities are. If the tool used to identify the devices builds their profile from the manufacturer’s protocols, it will know the status of the OS and software versions and can send alerts when new CVEs or patches are available.
Lerman: It’s important to make sure that all equipment is running the latest version of software including the most recent patches. If equipment is more vulnerable you need to provide compensating steps, like segmenting high-risk equipment from the rest of the network so that it only communicates with the devices that are absolutely necessary to add another layer of protection.
Moore: There are some real limits on what one can do with older equipment. The one thing that can be done is to place the device on its own network segment. This can be done either through traditional physical or logical methods or by using technology that supports virtual local area networks (VLANs).
Oranski: Medical devices are often connected to legacy infrastructure that’s been developed over many years. A patchwork of systems, networks and components using different operating systems, communication protocols and data stores is complicated and difficult to maintain. As a first step, hospitals must deploy a dedicated medical device cybersecurity solution that will identify vulnerable, out-of-date or otherwise insecure configurations that exist. We often come across medical assets that are left unpatched for years, even though a firmware update is indeed available. Additional steps include automatic context aware policies that can be enforced selectively based on the relevant vulnerability or threat.
Person: When it comes to older equipment that is no longer supported by the OEM and the operating system is vulnerable to cyber attacks most hospitals look to place the device behind a firewall or white list the specific IP addresses that the device needs to communicate with and the specific network ports. Biomeds should also consider replacement for these types of devices as part of their capital planning. With modern CMMS systems you can track the acquisition cost of the device, depreciation, total cost of service, device availability and other areas to determine if a medical device has reached the end of its usable life and if the device is costing more to maintain then purchasing a new one that does not have the same level of cybersecurity threat.
Seeley: This brings up the argument of bolt-on versus imbedded security. Bolt-on security is making an older system work. We can use things such as firewall appliances to make sure that there is a firewall with port security between a medical device and the rest of the network. This is OK, but ultimately this should be something the device itself can do. The most logical thing is to upgrade or replace the system. We have to use the OEM as a resource at this point.
Zemke: The risk with medical devices is that they have a life cycle well beyond typical IT systems. Add to the fact that they often have rigorous code certifications means that they are not able to keep up with tomorrow’s cyber threats. The key, then, is to have a functional process in place to keep all older devices isolated from internal and external threats. Security dongles like Extreme’s Defender for IoT product act as individual VPN/firewalls for older medical devices, and are a good approach to retrofit and defend.
Q: What training/education do clinicians need to prevent cybersecurity attacks?
Langer: Cybersecurity education in every department should be constant and consistent. Whether advising clinicians to practice good security hygiene or alerting them to the latest phishing scam, it’s important to regularly remind clinicians that they are the first and often only line of defense. Hackers look for the easiest way in and it’s almost always an unwitting employee.
Lerman: It’s important that all data input devices are used only for the purpose for which they are intended. Health care providers shouldn’t plan their vacations or shop on eBay using hospital computers since browsers tend to be riddled with viruses. It’s important that every new medical device is inspected with the IT team before it’s added to the network and that service level agreements with vendors include procedures for keeping software versions up to date.
Moore: In addition to the security awareness training that is provided to everyone in the organization, clinicians need to have a heightened awareness of anomalous behavior by medical devices. Dr. Christian Demeff, an emergency room physician and hacker from UC San Diego, has done some work around simulation of compromised medical devices in a clinical setting. During these simulations, very few, if any, participating clinicians recognized the compromised device as such.
Oranski: For health care providers, insiders pose a bigger threat than outside actors – providing a case in point for the need to better incorporate cyber hygiene education into medical device user training. A lot of the training undertaken by the clinical engineering team can be condensed and re-packaged for delivery to clinical staff and other users with a focus on cybersecurity awareness and threat detection. Staff training needs to cover general cybersecurity protection, such as the basics of password management, how to spot and what to do when encountering malicious websites or emails, social engineering, etc. It might seem obvious, but staff needs to understand that they should only use connected medical assets for their intended purpose and not, as we commonly see, to surf the web. They must understand that clicking on the wrong link can trigger a malicious script that may ultimately compromise the delivery of care. Sometimes subtle changes in device behavior patterns can indicate malfunction or worse – tampering.
Person: When looking at training that the hospital staff and clinicians themselves need it needs to start with cybersecurity awareness. One area the hospital staff needs to be trained on is best practices in password management. Also, they need to get training on how to avoid malicious websites, malicious emails, social engineering and other targeted attacks that could compromise a device or impact the delivery of care for the hospital. Hospital staff should also receive training to not plug in their cellphones or personal devices to the USB ports on the medical devices. The most important thing to implement with the hospital staff is a standard operating procedure (SOP) for educating the hospital staff as part of the onboarding process and ongoing cybersecurity awareness program.
Seeley: Know about hardware risks due to loss, know about social engineering to get access and do not click unknown pop-ups. And, do not charge a cellphone with a USB port on a medical device. Consider disabling front USB on a medical device, if possible. In general, good behavior for computer security includes watching out for suspicious emails or phishing. Often, hackers pretend to be someone else to try to get valuable information from someone. Remember to be suspicious about unknown phone calls or emails. Never click on things sent through email unless you expected it. Keep off of suspicious or unscrupulous websites.
Zemke: The first thing clinicians need to understand is that every device is a computer, even if it doesn’t have a screen or keyboard. That helps set the groundwork for education around best practices and why biomed needs their cooperation. Another is to share real world examples about various incidents that have taken place recently that impacted patient care, such as WannaCry.
Q: What else do you think TechNation readers need to know?
Langer: I can’t stress enough that protecting hospitals, health care systems and, ultimately, their patients requires a level of security not always necessary in other industries.
Cursory identification of a device (IP address, MAC address, make, model) is not enough to create meaningful security policies.
It’s critical to have biomeds, IT and IS involved in the IoT/device security solution procurement process. For example, if IT and IS own the budget and drive the process without biomed, they are more likely to purchase an IoT solution that can’t address the unique needs of medical devices.
The only way to achieve the highest level of security for medical devices is to understand a manufacturer’s protocols and clinical workflows. There is no substitute for that.
Lerman: As part of the digital revolution we are seeing the introduction of thousands and hundreds of thousands of connected medical devices, such as patient monitors, IV pumps, MRI machines, infusions pumps, ventilators that are connected to the internal hospitals network. Now that devices are more connected and vulnerable, biomeds have a significant role to play to keep patients safe and their sensitive data secure.
Moore: Cybersecurity is no longer an IT issue, it is a patient safety issue. We are completely dependent on technology to operate our organizations, deliver care and keep patients alive. Up to now, the health care industry’s focus has been primarily on the confidentiality of information. We see stories of hacked records, OCR fines and class-action lawsuits. There are, however, two other pieces of the information security triad; integrity and availability. If the integrity of the information we rely on to treat patients is compromised and/or the technology and the information it creates is not available to provide care at all, well then we have a whole different and likely much more urgent problem than identitfying theft and medical insurance fraud.
Oranski: In today’s health care environment, biomed professionals are at a disadvantage when it comes to cyber vulnerabilities and risks that they are presented with on a daily basis. Cyber criminals need to get it right just once, while biomed teams need to get it right 24/7/365. As a result, they must deploy an automatic, real-time cybersecurity solution that was built for a health care environment. A generic IoT security solution that addresses the cybersecurity needs of manufacturing, retail and financial institutions can not address the unique requirements associated with operating and protecting medical devices.
Person: When implementing a cybersecurity program, a hospital needs to look at process and technology to address all aspects of cybersecurity threats. Consider from a process perspective the entire life-cycle of the medical device including how the medical devices are purchased, on-boarded, maintained and disposed. Consider implementing a modern CMMS system that supports the details and process automation to handle a cybersecurity program. Lastly, look at modern medical device cybersecurity products that can discover, monitor and protect the hospital from cybersecurity threats.
Seeley: Cybersecurity and cyber attacks are not as bad as people may think. Most devices are actually specialized with little to no actual risk. However, times are changing. As the field evolves, so should we. We need to stay on top of potential threats. This is actually us being proactive. Do not fear this, but be aware that there have been some incidences. Do your best to limit the problems on your end using proper risk management techniques. Remember, you are good at that!
Zemke: I am a strong advocate for education and self-reflection. We have been connecting medical devices in health care for decades, well before “IoT” was a cool term. With that realization, we have to accept that the security landscape has changed, the risks have increased and our assumptions on what adequate security is need to evolve. Digital health care is very real in today’s clinical workflows, and with that our dependency on security will require continued education and changes to how we safely and effectively deliver services.