Prepare Now for Critical Device Security Incidents
EXECUTIVE SUMMARY
Hackers can compromise medical devices in ways that can threaten patient safety. Healthcare organizations should prepare to respond to medical device safety incidents and minimize the risk to patients.
- The number of devices used for critical patient care is increasing rapidly.
- Hospitals should create a response plan that can be activated immediately.
- Practice the response plan the same as with other disaster plans.
Hospitals and health systems are increasingly dependent on sophisticated medical devices for patient care and maintaining safety, but not all are ready to respond effectively when hackers access those devices. Risk managers should ensure an effective response plan is in place that is well practiced and ready to deploy at a moment’s notice.
The Cloud Security Alliance (CSA) in Seattle recently released its Medical Device Incident Response Playbook to help healthcare organizations respond when hackers compromise devices. The group said the guidance was inspired by growing medical device security concerns since the 2017 WannaCry ransomware incident, which successfully encrypted radiology equipment drives at hospitals.
“While serious confidentiality and integrity issues are often associated with leakage of medical device data, the highest risk when dealing with systems being used for clinical care concerns is keeping those systems available for patient care use,” the authors stated.1
The biggest risk is medical devices will be taken offline or compromised in ways that threaten patient safety. A malpractice lawsuit against an Alabama hospital alleges a newborn child died because of a ransomware attack that affected specific medical devices and the hospital’s computer systems. (For more information, see the story in the December 2021 issue of Healthcare Risk Management.)
Cyberattacks can affect a wide range of computer operations, but the CSA report focuses on how to respond when individual medical devices or a type of device is affected.
Playbook Guides Emergency Response
The CSA playbook was co-authored by Brian Russell, chief technology officer of TrustThink, a cybersecurity company in San Diego, and Christopher Frenz, CISSP, HCISPP, CISM, CISA, FIP, CIPP/US, CIPM, CIPT, CCSK, assistant vice president of IT security at Mount Sinai South Nassau in Oceanside, NY.
The playbook emphasizes the risk to patient care from a cyberattack, Frenz notes. Cybersecurity efforts often focus on the many other types of cyberattack damage, including financial, operational, and privacy threats, but the direct risk to patients can be underestimated.
“That’s one of the things that is largely missing from the conversation today. There needs to be a patient safety focus with cybersecurity decision-making, both on the protection side and also on the incident response side,” Frenz says.
The FDA has worked to ensure better security for the next generation of medical devices. But some legacy systems still function perfectly well in a clinical sense, and remain in use.
“There are a lot of very vulnerable medical devices in hospitals, and there will be for some time,” Frenz says.
Medical devices increasingly are interconnected with systems outside the hospital walls, making them targets for hackers, Russell says. Compromising patient safety might not necessarily be the hacker’s intent, but the medical device at the bedside can be a convenient way to gain access to other hospital systems.
“As these devices become more sophisticated and interconnected, there are a lot of opportunities for the bad guys to use them as entry points into the hospital enterprise network as well,” Russell says. “You have to be vigilant that you’re only allowing secure devices on your network.”
Devices Can Be Entry Point
Medical devices sometimes are a weak link in a hospital’s overall cybersecurity program, says Rich Temple, vice president and chief information officer of Deborah Heart and Lung Center in Brown Mills, NJ. For instance, many devices are shipped with a default password that some hospitals never change.
“If a bad guy were to get their hands on this default password, they could do a lot of damage,” Temple says. “Another big problem with medical devices is that I can [perform] a vulnerability scan on my network without adversely affecting operations, but I have to be much more prescriptive and careful about [performing] scans on my medical devices because that device might be attached to someone and providing life-affirming care. A scan could knock that device offline.”
Hospitals should train staff and physicians to raise an alarm if they suspect a medical device is not performing normally, Temple says.
Most healthcare organizations probably are not as prepared to deter and respond to a medical device incident as they are with other types of security breaches.
“It’s trickier and involves a lot more moving parts,” Temple says. “You have to accept that this is an issue we need to address, working very closely with biomedical engineering, and sometimes the IT department, to ensure we have processes in place to detect default passwords and avoid breaches.”
The hospital also should create a detailed response plan that includes steps for allowing the device vendor to access the equipment, which Temple says must be limited and monitored by hospital representatives.
“Fortunately, attacks on medical devices have not been as frequent as the more conventional network attacks, but that could change quickly. This could be the next big vector for attacks,” Temple warns. “I think we have a chance to get ahead of it, but not much time.”
More Dependence on Devices
Action is needed because healthcare providers are increasingly dependent on these devices to provide safe and effective patient care, notes Philip J. Bezanson, JD, managing partner with Bracewell in Seattle. Currently, there are about 12 medical devices per hospital bed, but industry experts expect that number to triple in the next five to 10 years.
“That is a ton of equipment, and each item needs to have its own mini-playbook for responding to a compromise. You have to know if the problem is with just this one device, or is every one just like it at risk,” Bezanson says. “What is the risk? Is it just a data collection risk, or is it a functionality risk where there can be real harm to a patient?”
The risk might be greatest for hospitals that did not employ the internal resources to address previous cybersecurity threats and had to outsource the efforts to protect networks from data breaches, Bezanson says. Without a strong internal team with experience in protecting the hospital’s network, they might face a bigger challenge in taking a proactive approach to medical device security.
Risk managers should view a medical device security response plan as similar to other disaster response plans. When a natural disaster strikes the hospital, a plan is activated immediately and various people will know their roles. The same sort of response should trigger when a medical device is compromised.
“We’ve reached the stage where things move so quickly that you may have to make decisions very quickly about pulling devices offline and taking other steps,” Bezanson says. “You won’t have the time to pull a binder off the shelf and see what you’re supposed to do. You have to have a team that already knows.”
Must Practice Response Plan
Another key aspect of a cybersecurity strategy is practicing incident response procedures, says Brian Wrozek, chief information security officer at Optiv Security in Denver.
One cannot stop every attack, so be ready to respond and minimize the damage, Wrozek says. One option is seeking help from third-party providers who specialize in incident response. Add clauses to contracts that require vendors and suppliers to participate in incident response drills and be ready to respond in an emergency. (See the related story in this issue for more information on how to include vendors.)
The response plan should incorporate law enforcement. Wrozek advises building those connections now. Do not wait until the attacker has struck.
“Don’t forget to follow any requirements from your insurance provider and related industry regulations. These exercises should include all aspects, from technology concerns to communications,” Wrozek says. “Be prepared to deal with social media and misinformation. Have a plan for communicating not only with patients and the public at large, but also employees and partners. Transparency is key to maintaining public confidence and trust.”
Can Migrate from Other Devices to Medical
One important consideration is cyberattacks can originate from any connected devices, not just medical gadgets, says Greg Murphy, chief executive officer of Ordr, a cybersecurity company in Santa Clara, CA. For example, if connected devices, like an HVAC control system, elevator control systems, or building management system, are compromised, an attacker can move laterally to a connected medical device.
When a cybersecurity incident happens, Murphy suggests thinking of the response in four parts:
- Understand what device has been compromised;
- Pinpoint its network and physical location;
- Determine if you can act on the device;
- Determine exactly what response is possible.
Understanding which device has been compromised is fundamental, Murphy says. It is crucial for an organization to maintain a continually updated, referenceable, real-time connected device inventory database. This database should classify devices based on their risks so the security team can individually prioritize alerts and responses.
Next, knowing the physical and network location could be critical for a technician to locate the device to take it off the network or determine what compensating control is possible based on its network connectivity.
These details are fundamental to determining whether action can be taken and exactly what type of action can be performed on the compromised device, Murphy says. For example, the clinical team might not be able to take a compromised MRI machine offline because of the negative effect to patient care. The proper response may be to quarantine the device.
“This is where mapping and baselining the behavior and communications patterns of a device using machine learning can accelerate the creation of the right segmentation policies to isolate the device and prevent lateral movement,” Murphy says.
Access to All Devices Possible
Once cybercriminals gain access to a healthcare network, they often can access all devices connected to it, notes Troy Ament, field chief information security officer for healthcare at Fortinet in Sunnyvale, CA. Compromising those devices and threatening patient safety can be a way to pressure hospitals to pay ransomware.
Organizations should ensure advanced security (e.g., anti-exploit and endpoint detection and response) is installed in all endpoint devices, Ament says. These tools can discover malware on an endpoint device before it migrates to the network and shares that information downstream.
“We also can’t ignore the importance of teaching good cyber hygiene. Users must be part of the solution, which means all employees must receive training from the get-go. It must be a continuous learning process, and employees need to learn how to spot and report suspicious cyberactivity,” Ament says. “This can be challenging in a medical environment, since priority one needs to remain patient care.”
The key to a successful security program is its alignment with business mission and objectives, says William Mendez, managing director of operations with CyZen in New York City. Unfortunately, many security professionals create a myopic view of security, and only consider the controls and the obstacles.
“They fail to consider the impact that controls have on business operations, and do not seek that balance where security is applied, but the organization can still function as a business to meet its goals,” Mendez says. “After all, a business that cannot meet its goals will not be in business for long. Or, in the case of medical devices, failure to achieve this balance can be a matter of life and death.”
Medical device security brings this dilemma to the forefront, Mendez says. These devices are built for a specific purpose, and security usually is not at the top of its list of features. They usually consist of embedded operating systems that usually are “stripped down” versions and often cannot support traditional security protocols or mechanisms such as antivirus software, says Michael Schenck, senior cyber security consultant with CyZen.
Healthcare organizations should run a risk evaluation on new or upgraded software or hardware before introducing it to patient care, Schenck says.
A common security measure is to ensure software and hardware are fully patched, but Mendez explains because their internal operating systems have limited capacity, standard patching of medical devices can cause more harm, destabilizing the system and potentially affecting its operation.
“As a result, we have to rely on the vendor to provide patches, which can take longer to be released than a regular patch,” Mendez says. “This increases the window of opportunity for a threat actor to exploit an existing vulnerability.”
REFERENCE
- Cloud Security Alliance. CSA Medical Device Incident Response Playbook. Nov. 8, 2021.
SOURCES
- Troy Ament, Field Chief Information Security Officer, Healthcare, Fortinet, Sunnyvale, CA. Phone: (408) 235-7700.
- Philip J. Bezanson, JD, Managing Partner, Bracewell, Seattle. Phone: (206) 204-6206. Email: [email protected].
- Christopher Frenz, CISSP, HCISPP, CISM, CISA, FIP, CIPP/US, CIPM, CIPT, CCSK, Assistant Vice President, IT Security, Mount Sinai South Nassau, Oceanside, NY. Phone: (516) 632-3000.
- William Mendez, Managing Director, Operations, CyZen, New York City. Phone: (212) 842-7005.
- Greg Murphy, Chief Executive Officer, Ordr, Santa Clara, CA. Phone: (833) 673-7999.
- Brian Russell, Chief Technology Officer, TrustThink, San Diego. Email: [email protected].
- Michael Schenck, Senior Cyber Security Consultant, CyZen, New York City. Phone: (212) 842-7005.
- Rich Temple, Vice President, Chief Information Officer, Deborah Heart and Lung Center, Brown Mills, NJ. Phone: (609) 893-6611.
- Brian Wrozek, Chief Information Security Officer, Optiv Security, Denver. Phone: (800) 574-0896.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.