If there is one thing medical professionals understand it is hygiene. They remind patients and staff alike to wash their hands and keep equipment clean to prevent creating a breeding ground for viruses. For the hospital’s IT and security teams, cyberhygiene is just as important. Limiting network vulnerabilities using good data security hygiene is essential, but sometimes problems can still occur.
Cyberhygiene encompasses a variety of best practices including but not limited to the proper configuration and updates for network devices, operating systems, application software and cloud resources; enforcing strong encryption and authentication, identifying and either eliminating or protecting any shadow IT on the network, depending on its value and necessity to the enterprise; updating whitelists and blacklists of users and websites; and ensuring all devices are free from malware.
Among the components that security teams are likely to put in place to protect patients’ protected health information (PHI) and other personally identifiable information (PII) are a zero-trust model, microsegmentation of networks, high levels of encryption and an identity and access management environment designed to ensure confidentiality. Additionally, hospital CISOs tend to be very concerned about IT asset management, as unidentified assets, especially shadow IT and authorized devices that can be connected to the internet, can lead to serious data leakage and potential compliance violations that carry with them heavy fines.
“A lot of hospitals haven’t put proper thought into network segmentation,” cautions Christopher Frenz, associate vice president of information security and infrastructure of Interfaith Medical Center in Brooklyn. “If you look at all the hospitals that have been brought down by ransomware and other cyberattacks, the contributing cause for most of them is they have flat networks. And that’s really dangerous, because as soon as one system in the organization becomes compromised, it allows that malware to laterally move through the entire organization.”
In the rush to deploy and reconfigure medical equipment in response to the COVID-19 pandemic, many hospitals are skipping risk assessment steps, Frenz says.
Several hospitals battling COVID-19 have wound up in the headlines due to cybersecurity issues. In March, the Brno University Hospital in the city of Brno, Czech Republic, was hit by a ransomware attack, requiring all its computers to be shut down.
“They may still be deploying it in what they think is a secure manner, but a lot of the normal assessments that a person would go through before they purchase a device, a lot of that’s being skipped in the rush to get whatever ventilator they can get online as fast as possible,” Frenz says.
If medical devices are installed without careful and proper configuration, they can expose and be exposed to malware on the rest of the network. In 2017 and again in 2019, the ransomware cryptoworm WannaCry not only locked up computers, but also medical devices as well. Some 300,000 machines in 150 countries reportedly were affected.
Complicating the task: hospitals might not be able to get their choice of vendor for medical devices, which also impacts cybersecurity readiness.
Interfaith Medical Center was an early adopter of a zero-trust network in a U.S. medical facility in 2015, Frenz says. “In today’s day and age, healthcare cybersecurity really does equal patient safety,” he says. “We do have to take the time to actually make sure that medical devices and other systems which impact the patient are securely deployed.”
At Interfaith, every device being deployed is using full network segmentation. “Everything’s isolated to just what it needs to, and can’t communicate with anything else, so we’ve put a lot of thought over the years into how to secure medical devices, and various ways of doing that,” Frenz says.
IoT in the ICU
A big part of medical device security, where multiple internet of things (IoT) devices are used, is in the intensive care units (ICUs). One common best practice is that device used in applications where PHI is present should undergo a security assessment and a privacy assessment.
One problem often found in hospitals is that networked devices might not get software patches at the same priority as common desktop system. Often the desktop operating systems alert users when an update is needed; this is not always the case for IoT devices, large or small.
Big-ticket items, such as magnetic resonance imaging (MRI) machines, can be problematic because they are in use for longer periods of time, yet they are networked, online and might be running unpatched operating systems. Other devices in the modern-day ICU are also networked, and if they are unpatched and insecure, serious vulnerabilities occur if the hospital is running flat, unsegmented networks.
Frenz is also devoting time to two industry-level efforts to make networks and devices more secure. He is the chair of the incident response committee of the Association for Executives in Healthcare Information Security (AEHIS), an affiliate of the College of Healthcare Information Management Executives (CHIME). In January, AEHIS released 17 recommended controls to mitigate cyberattack risks. Then, in March, AEHIS released Information Technology Considerations for a Disease Outbreak, a report highlighting information security issues healthcare organizations should consider.
In addition, Frenz is team lead for the secured medical device deployment standard being developed by The OWASP Foundation, also known as Open Web Application Security Project. OWASP is a nonprofit foundation that works to improve the security of software. Its standard reviews 25 separate controls hospitals can use to deploy their medical devices securely.
Another way to guard medical devices is known as DNS (Domain Name Service) sinkholes. “You might not be able to install antivirus or other endpoint security on the device because the device won’t support it, or the manufacturer doesn’t approve it like you can for a regular PC,” Frenz says. “A DNS sinkhole is a great way to identify malicious traffic coming from a device and identify infected devices.”
Virtual patching is also helping security professionals secure medical devices. Traffic for or from a medical device gets routed through firewalls containing an intrusion prevention system, which provides a way to virtually patch those devices, even if the devices are still running unpatchable Windows XP operating systems, Frenz says.
Beyond the guidance, Frenz acknowledges that the short-term demands of COVID-19 require some tradeoffs to occur.
“It’s a conversation that has to involve clinicians as well as other people within the healthcare organization,” Frenz says. “It has to include more [stakeholders] than just IT. There really need to be holistic discussions within the organization about the potential impacts of a security issue on patient care, and how security relates to patient care.”
Time to prepare
Like the rest of the nation, a five-hospital system in upstate New York watched events in New York City with increasing concern during the COVID-19 explosion in March. Rochester Regional Health, a five-hospital system in the Finger Lakes region of New York state, managed to avoid the kind of surge in patients experienced in New York City, but took steps early on to ensure the safety, reliability and effectiveness of its medical equipment.
“We had a little bit of time, but we had to move quickly,” says Anthony Alongi, clinical engineering director for Rochester Regional Health. “Most of the effort was in what would we need to do if this thing got really big, the capacity issue.”
Rochester Regional Health reviewed its inventory of ventilators, patient monitoring devices, IV pumps, and other devices needed for any ICU beds they might need to add if the pandemic got out of hand in its area.
The shelter-in-place orders put in place for the entire state of New York slowed down the pandemic enough that “we never got overwhelmed here,” Alongi says. “We had enough time to start figuring things out.”
But the scramble before that point was real. “We went out and tried to buy some anesthesia machines,” he says. “We were able to rent some, so we had to incorporate that into our system. We had to use device integration, which means keeping it so that the information flows through the patient record.” They also borrowed some respirators from area schools that use them to train respiratory therapists.
Alongi’s team quickly had to come up with a naming convention for all the borrowed equipment. After it was in place, the team saw that the need for the ramp-up was on the decline, but realized that it needed to implement a better system using RFID labels, to help understand not only where equipment in use was, but also where equipment not in use was, since the radio frequency identification (RFID) system will not be tied to any one patient’s record.
In retrospect, preparations for the surge also set off discussions about setting up a special type of organization or warehouse where hospitals from around the region can also share equipment as needed, Alongi says.
Like Interfaith, Rochester Regional Health has also implemented a zero-trust network. Certain devices, such as GE monitoring devices, are even on their own network segments behind the vendor’s own firewalls for extra protection, Alongi says.
Ultimately, hospitals face a serious challenge in that so many devices now in use can be internet connected and many process PHI. Making sure they are locked down has become a Herculean effort for security teams, but one that cannot be ignored.