By K. Richard Douglas
While 2020 will be chronicled as one of the most tumultuous years in modern American history, the focus for most has remained on the impact of the pandemic, the civil unrest and a presidential election.
What has been largely unnoticed, outside of the cybersecurity world, is the substantial increases in cyberattacks and data breaches that have plagued all segments of the economy.
The security of cyberspace has become an international focus as government regulations, new laws and agencies have been created to protect it.
In November of 2018, President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. It created the Cybersecurity and Infrastructure Security Agency (CISA) to protect government networks.
There are incidents when cybercrimes occur that the Department of Homeland Security (DHS) must get involved. DHS focuses on both asset response and threat response. The FBI terms some of the worst of these cybercriminals; “advanced persistent threat (APT) actors.”
Along with Health and Human Services (HHS), the FBI and CISA issue alerts warning of the newest threats discovered and details about their behaviors and signs of compromise.
During a period of time when resources everywhere are engaged in a battle against a novel coronavirus pandemic, the incidents of cyberattack have continued to rise. The health care sector, which has been especially hard hit and often strained to the point of exhaustion, is a primary target of these attacks.
Health care organizations offer special appeal to cybercriminals because patient information can include social security numbers, credit card information and medical records.
Some cybercrime gangs have claimed that they would avoid attacking health care organizations during the coronavirus pandemic, but security experts doubt the validity of this claim.
This did not stop criminals from hitting health care facilities while they were already down. Instead, the incidence of cyberattacks during the pandemic are up 300 percent.
As technology has evolved, and Internet connectivity has exploded, the days when just a desktop computer was the only device in a home or business that accessed the Internet is a thing of the past.
Today, the number of connected devices includes an array of unmanaged devices that make up the Internet of Things (IoT) and, in health care organizations, the Internet of Medical Things (IoMT). This broadens the challenges of cybersecurity to identify devices that might otherwise fly under the radar.
In a smart home, everything from the washer to the refrigerator to a smart assistant and the doorbell might all be connected to a router. A home’s thermostat and security cameras can be connected. Along with information stored on computers, tablets and phones, the potential targets and entry-points for hackers are numerous.
According to a Nokia study, “IoT devices are responsible for almost a third of all mobile and Wi-Fi network infections.”
Health Care – An Attractive Target
In the health care setting, the growing number of devices that are connected to the network, or which feed information to the EMR are numerous. The organization’s computers, as well as personal devices using Wi-Fi, make the number of devices that share the network vast.
Some devices that show up in centralized purchasing can be flagged for vulnerabilities, but many personal devices may be left off these lists.
Any personal health information (PHI) that is fed into a patient’s electronic health record (EHR) creates dollar signs in the eyes of cybercriminals. Its value on the black market makes it a prized target. For all the advantages that electronic health records have provided, they have also opened the door to many vulnerabilities that didn’t exist with paper records.
Long before a coronavirus pandemic was even a thought, a cyberbreach in 2015 of data at Anthem Inc. affected 78 million records. For Anthem, the nation’s second largest health insurer, the breach resulted in a $115 million settlement.
In September of 2020, a German hospital patient died as a result of a delay in care caused by a ransomware attack.
According to CISA, “Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by a victim unknowingly visiting an infected website.”
Practical Solutions
The vulnerability of connected medical devices provides an easy target for cybercriminals.
Many IoMT devices don’t have built-in security measures and many use legacy operating systems that are no longer patched or supported by the manufacturer. One study showed that 20 percent of devices were running unsupported systems. Some estimates put this number above 70 percent. Many were designed to be stand-alone devices.
Network segmentation is one step to help protect patients from these attacks. Non-medical devices and guest devices must be segmented from medical devices.
The incursion of consumer devices into the health care space is a concern and a problem. Sometimes an electric car or exercise device, that is linked to the Internet, is connected to a medical device network.
Organization-wide cybersecurity training would prevent workers in all capacities from making critical mistakes that could jeopardize the organization’s brand, staff, patients and visitors.
“As healthcare technology management (HTM) professionals struggle to navigate through the dark space of information security, it has become apparent, particularly this year, that we still have much work to do to clearly and safely negotiate this challenging environment,” says Jojo Gonzales, BSHA, CBET, CHTM, A+, Net+, Sec+, Healthcare IT Certified, lead BMET in the clinical technology department at the Kaiser Permanente San Diego Medical Center.
“Organizations are deploying solutions, but technician training is lagging behind. The effectiveness of those tools will increase significantly if the operators know how to properly utilize them,” Gonzales adds.
Insights from HTM Specialists
HTM teams have had to evolve in their role as medical device repair and maintenance experts and become educated and proactive in monitoring connected medical devices. Some teams have members in a hybrid role taking on this function and others have a specialist assigned to this task.
In addition to hardening the network alongside IT colleagues, the HTM team should have protocols in place for documenting every effort.
“It’s important to keep in mind during a cyber event that any damage done has the potential to end up in a criminal investigation, or an insurance claim, or both. In today’s environment, more and more hospitals carry some kind of insurance policy hedging against cyber events. Claims can be made for things like damaged equipment or lost revenue,” says Brandon White, clinical systems engineer who works for Renovo Solutions in the biomedical engineering department at Hoag Hospital Newport Beach in California.
He says that the insurance companies require more than the good word of people to prove that everything within their power was done to provide reasonable security and response.
“Therefore, you should document basically everything you can. These documents will end up with the hospital’s legal team to make the best case for the hospital to the insurance company and criminal investigators,” White says.
“HTM professionals should establish a communication line and task tracking protocol with the CIO/CISO, or whoever is leading the response to the attack. This will be important for problem solving, documenting issues, and proposing and getting approval for solutions. It’s a good idea to get senior leadership-level approval for anything you propose to do,” White adds.
He says that data breach events, much like a ransomware attack, are considered crime scenes.
“If, for example, all the records are stolen off of the laptop that controls the stress test equipment, then much like the CT, every step should be taken to keep the affected parts in as-found conditions to allow for an investigation,” White says.
He says that much of the same processes for the response to the ransomware attack will apply here, too.
“In the case of breaches of ePHI, the hospital will have to report them to the government. So, the documentation of what kind of ePHI was lost, the kind of intrusion used to take it and how many people are affected will be important pieces of that report,” White adds.
In addition to your preparation or response to a cyberattack, there are several practical tips that can be put into practice that will help to mitigate the threat and harden your system.
“First and foremost, knowing what you have increases your security effectiveness. Conduct a thorough inventory of cyber vulnerable equipment,” Gonzales says.
He suggests that HTM departments create and implement user awareness training. Gonzales says that it helps strengthen the organization’s security posture.
“Remove/rename default admin usernames and passwords and establish policy and limit use of removable media,” Gonzales says.
He also says to apply security patches in coordination with the OEM, use hardening guides and be wary of increased phishing and social engineering activities.
Insights from the Third-Party Specialists
The problem of cybersecurity is so pervasive that it has given rise to an entire industry to address the threat. Some of those specialists have shared their insights into the management of medical devices when hardening the network is crucial.
Daniel Brodie, co-founder and CTO at New York-based Cynerio agrees that HTM professionals need to ascertain that devices have the latest OS and firmware installed.
“However, updates are often unavailable due to long device shelf lives and unsupported legacy OS (e.g. Windows 7). Updates from vendors are often delayed, and implementation processes can be long and arduous due to dependence on mission-critical devices that cannot be taken offline,” Brodie says.
He says to mitigate risk, and reduce the attack surface, teams can employ more sophisticated compensating controls, such as 1) safe segmentation policies to block all unnecessary communications, and 2) device port hardening to limit third-party vendor access, ensuring only critical maintenance services are conducted on specific ports on specific devices at scheduled times.
Hardening the system against cyber-intrusion is often a joint effort between biomed, IT and security says Benjamin Stock, CBET, director of healthcare product management at Ordr in Santa Clara, California.
“When we look at all the ways an organization can be impacted, we generally rely on the fundamentals,” Stock says, offering several examples.
“Active, accurate and continuous asset inventory – knowing in real-time what devices are connecting to your network, that they are properly classified with make, location, operating system, serial number, and application/port usage, and that there is no impact to the device or the environment,” Stock says.
“Updating default passwords and storing them appropriately. (LastPass, etcetera) can help ensure that the devices are not compromised based on known, public passwords that are on all of the same make/model of device,” he says.
Stock also points to the importance of patching and firmware upgrades – limiting the amount of time devices are unpatched, have security flaws or need firmware upgrades means less of a likelihood that there is a hole or weakness.
He also says that when allowed, all devices should be identified and should be classified with whether or not they have AV installed or if they need to be segmented as high-risk devices.
“Update virus definitions (automatically or manually) – ideally this would be an automated function but if it is not, having an up-to-date definitions library is critical,” Stock says.
Stock says that credential access controls are important and to make sure that all LDAP (ie. active directory) information is associated to the correct user(s) – allowing only provisioned sharing of information from users to systems, networks, services and applications throughout the network.
Segmentation is an important step, as well as knowing any possible weakness in your system, but don’t over-segment, according to Shankar Somasundaram, CEO and co-founder of Asimily, based in Sunnyvale, California.
“Understand the entry points into the network for an attacker; understand how an attacker can spread out and compromise connected devices and the impact of such an attack on the clinical operations and data. This would provide HTM/biomed with targeted mitigation actions they can take to protect themselves against an intrusion and make the mitigation plan simpler and effective,” Somasundaram says.
He suggests that HTM professionals first understand the inventory.
“And then, just segment the network for different medical device types or for legacy operating systems which should provide some level of protection (not as effective as doing the prior suggestion). This needs to be done carefully since excessive segmentation can overload the network, be hard to maintain and, if not done correctly, can cause operational issues,” Somasundaram adds.
He also recommends creating a standard “configuration” template which specifies what ports and applications should be open/used for different device models from different manufacturers and apply them across the network.
“Hospitals, clinics and health care facilities, depending on size, have IT departments that look after their overall communications and data flow – this is fine and does cross over into patient-data controls. Here is where the big hole and break in this system occurs – they do not include the actual medical devices – and the security of them into their working matrix,” says Peter Loehfelm of Medical Equipment Doctor in Anaheim, California.
“Patching these devices is key to closing up the scenario of patient data being stored on insecure clouds or even worse on a USB portal in the pocket of a well-intended staff member,” he says.
Best Practices
Many protocols, that can be put into daily use can reduce the risk that an HTM team needs to react to a cyberattack that was successful. There is a long list of best practices that can reduce vulnerabilities and fortify clinical networks.
Stock says that medical device security best practices start with aligning closely with the hospital’s IT security team.
“This will help ensure compliance and ePHI security, help keep tabs on device utilization patterns to schedule downtime and maintenance without disrupting clinical services, and assist with ongoing risk assessments and recall tracking,” he says.
Stock says that biomed/HTM teams should also consider requesting MDS2 forms from vendors to understand out-of-the-box device-level security, identify devices that store and track ePHI, and ensure devices adhere to organizational security policies.
“Although the list might seem short, these best practices are no small feat,” Stock says. He says to have multiple backups stored in cloud and physical media for a resilient set up.
“Not only have a real-time asset inventory but audit the inventory to ensure it is accurate. Don’t simply trust that when AV/patching maintenance is performed that it is complete, but verify it was accurately performed. Establish a removal process and corresponding documented for removal of individuals from the LDAP system,” Stock recommends.
He also suggests defining PHI removal policies and having clear documentation for decommissioning equipment and creating and maintaining internal documentation of workflow(s) for suspected PHI exposure.
Somasundaram recommends 10 best practices that could be applied regularly, which include keeping up HTM’s understanding of the inventory, maintaining physical and cyber access controls so that only specific authorized users are accessing the device and to turn on logging and user credentials where possible to ensure user access is logged and monitored.
He also recommends closing unused ports and services on devices.
“Monitor the devices for vulnerabilities; understand which ones pose the highest likelihood and impact in the network and mitigate risks from those vulnerabilities and monitor the network for anomalies and security threats,” Somasundaram says.
He also suggests segmenting the device where possible. Again, segmentation has to be done carefully to be effective and not cause other issues and patch devices when validated and approved patches are provided by the manufacturer.
“When buying new devices, run a risk analysis and understand how risks can be mitigated when bringing into the environment so that the problem is contained and manageable. Train staff to ensure they are cyber-aware and that they understand how connected devices should be managed from a cybersecurity standpoint,” Somasundaram adds.
White says it is important to communicate with critical clinical staff that there is the potential for issues with equipment and set up a communication procedure for them to follow in case they experience attack-related troubles.
“This is super crucial, because it’s impossible for the biomed staff to be all over the hospital at once, and the medical staff are the ones much more likely to notice something first. It’s best to start in the most critical places first, such as the ICU or OR, and work your way down the intensity levels of your hospital,” he says.
“Talk to the manager, talk to the staff on the ground. Get approval on exactly what to say from the response team first. Image and reputation control are a big part of the response, so messaging is important,” White adds.
White says that in the case of ransomware, it’s entirely possible for medical equipment to be affected.
“Once a problem related to an attack is identified on a piece of medical equipment, that device should be considered a crime scene. It’s important to maintain the condition of the device so an investigation can be conducted. It’s a good idea to treat these devices like it was involved in an adverse patient health outcome event,” he says.
“Set them aside, keep the memory and settings intact, keep the battery charged, all that sort of thing. For devices that absolutely must come back online immediately, such as the only CT that services the ER for example; obviously down-time is critical,” White adds.
He says that the vendor will more than likely be called to re-install the entire operating system to get such a CT running again, but it may be possible to make a copy of the hard drive, or ask the vendor to install a new hard drive altogether and keep the affected one so a cyber forensics team can do an investigation on it.
“If memory or the BIOS is corrupted and needs to be replaced, keep all these parts for the forensics team and don’t let the vendor take them in an exchange. Pay the extra money and hold on to them. Document all these steps, in detail. Decisions on what to do with critical medical devices like this CT should not be made in a vacuum; all of these solutions should be communicated with the ones leading the response, and approval for a plan of action should be agreed upon by senior hospital staff,” White says.
He says that it’s entirely possible that they will have a special response team who are trained on these steps to do the technical part, and they may not want the in-house biomed touching anything at all.
“In any case, document absolutely everything you do, you’re asked to do, who asked you to do it, etcetera. A ransomware attack is considered a crime scene, and you may be required to justify your actions someday,” White adds.
“For DDoS attacks, the technical solution for getting devices back up and running could be as simple as removing the device from the network temporarily and having the clinical staff save files locally until the attack is stopped. IT and cybersecurity will take the lead on stopping the actual source of these attacks and restoring the network, but at the individual device level, HTMs play the critical role of managing current conditions during the attack,” White says.
He says that the technical and work-flow logistics of that will depend on what devices are affected, and again, the decision to take these steps should not be made in a vacuum.
“Just like with the other two scenarios, an investigation may be conducted, and it will be important to document the state the device was found in, how much down-time there was, etcetera,” White says.
In summary, keep criminal investigations and insurance claims in your mind during a response.
“Document everything you do and propose. Know that the hospital’s legal team will be heavily involved. Set up a communication procedure with the response team and the clinical staff. Prioritize critical areas and equipment. Utilize your incident response protocol to quarantine affected devices,” White says.
White reminds his colleagues that HTM professionals can play a huge part in the response to cyberattacks.
“Our knowledge of equipment itself, as well as the relationships to third-party vendors who help support it, and the clinical staff who use it will make an HTM professional a valuable addition to a response team. Get approval for everything you propose and do. Document everything. Communicate difficulties you face. Be available to help,” he adds.