Picture this: you're a doctor at Holy Mountain’s Heart & Vascular Center. You're running late. Rushing past a waiting room full of patients in need of care, you hurry to your office and unlock the screen saver on your PC to access case files for the day ahead. Met with a blank screen, you call the IT support team.
They confirm that the hospital had been the target of a ransomware attack, most likely caused by a staff member clicking a malicious link in an email message. You (and your patients) are lucky though — the hospital is prepared. It has an up-to-date and recently rehearsed incident response plan.
Affected devices are quickly cut off from the wider clinical network and quarantined. There are paper copies of critical records and a team of administrative assistants is brought in to help doctors transcribe and keep track of new information and medical notes. The clinic is able to carry on functioning more less as usual.
Still, the event, and many similar ones, highlights the importance of cybersecurity in clinical environments.
What is Cybersecurity All About in General
The term "cybersecurity" or "cyber security" dates back to at least 1998, when governments and international bodies first began considering the unique threat implications of computer crimes. The idea of computer-based abuses had already entered the public consciousness in the early '80s, but until the turn of the millennium it was mainly considered as a question of the applicable legal principles and prosecutorial mechanisms. Since that time, it has come to be thought of in a much more serious light and has risen to the top of government, business, and public interest group agendas.
"Cybersecurity" refers to technological and behavioral measures taken to protect internet-connected systems — including hardware, software and data — from attacks. It’s one element of the computer security ecosystem that includes information security — which protects the confidentiality, integrity and availability of data — and physical security — which aim to restrict access to and prevent the theft of computing equipment and infrastructure.
There are 3 cardinal realms of cybersecurity.
- Personal cybersecurity
- Industrial cybersecurity
- Infrastructural cybersecurity.
Personal cyber security pertains to an individual's personal devices, the integrity of their virtual assets, and the privacy of information that he or she inputs or accesses through those devices and interfacing systems.
Industrial cybersecurity is much the same, but swaps personal devices for connected corporate assets and adds things like corporate espionage and industrial sabotage to the attack surface.
Infrastructural cybersecurity is basically industrial cybersecurity for critical infrastructure points — raising the stakes by putting whole economies at risk, and introducing the potential for physical danger. What's more, that type of damage potential can invite terrorist and hostile state players to enter into the equation.
Some of these threats may seem far-fetched, but the fact is that they're not. People's personal devices and accounts are breached tens of thousands of times every day. Companies are targeted all the time (often by other companies!). And infrastructure attacks are growing more and more commonplace.
The threat is very real indeed. For example, in September 2017, a vulnerability on the Equinax website gave cyber criminals and open path to the personal data of 140 million customers in the US, UK and Canada. While in August 2018, hackers stole personal and financial details of 400,000 British Airways customers.
To compound the problem, the number of internet-connected devices is growing exponentially — worldwide spending on the Internet of Things is forecast to reach $770 billion in 2018 — dramatically increasing the opportunities for attack.
Although cyberthreats affect industries and companies of all types and size, hospitals have unique characteristics that bring cybersecurity into even sharper focus. In fact, the need for security tailored more specifically to healthcare has resulted in the FDA placing renewed emphasis on its cybersecurity program.
What’s Different About Hospital Cybersecurity?
Hospitals are different for a few reasons. First, they don't fit neatly into any of the 3 cardinal cyber realms mentioned above. They are critical public infrastructure points, but they are also privately managed and profit-seeking businesses. They not only process sensitive information in the course of their business operations, but their networks (usually through WiFi) also handle loads of personal information outside of any business purposes (in more of a personal cybersecurity vein). In these respects, hospital cybersecurity is at once personal, industrial, and infrastructural.
For hospitals, cybersecurity rests on four main pillars. There's endpoint cybersecurity, which deals with IP addressable medical devices and clinical assets. There's network cybersecurity, which deals with intra- or internet based interactions across and between your digital infrastructure. There's data privacy cybersecurity, which deals with how you process, store, and protect sensitive information. Then there's human factor cybersecurity, which deals with preventing malfeasance and training your staff to avoid common security pitfalls and empowers them to follow cyber best practices.
These four areas together account for the bulk of hospital cybersecurity. That said, they should not all be treated equally. For example, without totally removing people from the field of play, human error can never be fully excised from the equation. So even though it's extremely important, over-investing in the human factor would be a mistake. That area of hospital cybersecurity simply has more rapidly decreasing marginal returns than the others.
The area that most confounds and sets hospitals apart from other enterprise organizations, however, is endpoint cybersecurity. And that's because of the incredible proliferation and complex smartification of medical devices over recent years.
There are some 400 million connected medical devices in use globally and The Internet of Medical Things is forecast to be a $400 billion industry by 2022, driven by the promise of benefits to patients and providers alike. Patients get personalized care more quickly and with fewer doctor visits, healthcare professionals have access to a much wider range of real-time data to help with diagnosis and treatment plans, and hospitals cut down on human errors and inefficiencies — saving money in the process.
At the same time, since devices like MRIs and infusion pumps are integral to the timely delivery of lifesaving care, they're a prime target for ransomware (there is often no real choice but to pay) attacks or even more nefarious sabotage scenarios. And since the systems that networked medical devices are connected to contain sensitive information that can be sold on the dark web, they’re also a target for good old fashioned hacking.
If that all weren't enough, cybersecurity for hospitals is made more difficult because of structural disadvantages and mistaken assumptions that are rampant in the industry. Unlike other critical infrastructure points, for example, hospitals don't custom order or build their own machines and instrumentation in house. Whereas a power plant may have a devoted team of engineers, hospitals rely on technology suppliers and device manufacturers. This means not only that medical centers are often less familiar with the finer details of how their technology works, but it can also contribute to a more hands-off attitude.
Unfortunately, when it comes to their critical assets, many hospital administrators think (consciously or otherwise) that they've not only outsourced production, but management too. They tend to expect/trust that the manufacturers will assume responsibility for the whole lifecycle of their devices, including cybersecurity. By and large though, they do not.
This gap in expectations — as one example among many — is often not addressed explicitly and most operations won’t even know it’s there until disaster strikes. Naturally, this opens up vulnerabilities.
Legacy infrastructure built out over many years often means a patchwork of systems, networks, and technologies that have been joined together — causing problems. Most medical equipment has a long lifetime, meaning older products have few, if any, cybersecurity features, and different assets “play by different rules.” With machines running outdated software versions and many lacking important after-market security patches all being bridged into the same network, the potential for infection is huge.
A hospital might have thousands of medical devices of different types in deployment, so without a robust and low-touch inventory management process, even if equipment is relatively new, administrators will not likely know which devices need to be updated to remediate new vulnerabilities or where those devices are situated.
More complicated still, hospitals are publicly accessible, making it supremely difficult to simply restrict access to networked devices. And even if we assume that only authorized personnel can access physical endpoints, as a 24/7 operation, there's more staff and more exhaustion at play — increasing the number and likelihood of potential failure points.
Off-the-Shelf Cybersecurity Solutions Fall Short
Medical devices often use unique communication protocols that can only be understood with specialized software and skills. Without understanding the traffic flowing to and from medical devices through your network, it is going to be profoundly difficult to secure those interactions. Problems are liable to go undetected and even if detected, you'll be hard pressed to trace them back to the source.
Putting that aside for a moment, even once you’ve managed to identify the source of a problem in your hospital network, if it originates with a medical device, you probably won't be able to "fix" it outright. Medical devices are FDA certified when released by the manufacturer. To keep that certification intact and to avoid a world of legal and liability woes, all updates, patches, servicing, and device re-configurations must be handled by the manufacturer — either remotely or via on-premise technicians. The result? Hospitals are very limited in what they can do to quickly fix device-based security problems.
This is one of the biggest reasons why hospital cybersecurity is disproportionately focused on prevention, followed by up-to-date vulnerability monitoring and patching, and finally network based containment and control mechanisms. If you drop the ball on those fronts and you happen to fall victim to an "exploit in the wild" of your network, things are likely to get a lot worse before you have any hope of making them better.
When it comes to prevention and network based containment mechanisms, LANs and VLANs are the weapon of choice. These network localization models are used to segment the network and restrict communications to relevant, legitimate parties and devices — thereby limiting risk exposure. But segmentation is applied manually or based on fixed rules that can’t be easily changed to keep pace with changes in the hospital’s technology makeup or operational use.
5 steps to address the risks
- Perform regular risk assessments to determine the risk profile of all technology in use and to help decide what controls should be implemented.
Information from industry bodies, CVEs, manufacturer disclosure statements and the independent research efforts will prove useful. The risk assessment also provides input on the organization’s wider security architecture, making sure medical device security meshes with existing security protocols and controls — thereby ensuring a holistic view is taken to monitoring and protection.
- Take advantage of purpose-specific solutions to identify, screen, and secure medical devices. Intelligent software can take inventory and find all medical devices on a network, use artificial intelligence techniques to determine the risk of a successful attack on each device and recommend mitigating actions.
With most hospitals having thousands of medical devices in use, it’s not possible to get the same visibility and insights with more basic tools.
- Don't forget the cybersecurity basics. System access should be limited to those who need it, password managers should be used to avoid easy-to-break passwords and vendor-issued software patches should be applied when they’re released. Wi-Fi networks should be encrypted as should portable data stores and hard drives on portable devices. Most importantly, robust network protection should be applied and reviewed often.
- Use training programs to make sure staff know how to spot threats and what to do when they find them. Use regular brush-up sessions to re-enforce the principles. Programs can be improved by using threat intelligence from other healthcare providers and the broader security industry such as that offered by The Health Information Sharing and Analysis Center and ECRI Institute.
- Follow the examples set by best practice role models. Take for instance, the story mentioned at the beginning of this article. An attack occurred but was effectively contained so that its impact was minimal. That's because Holy Mountain’s Heart & Vascular Center prepared a comprehensive business continuity plan.
Take lessons wherever you can and follow the lead of healthcare cybersecurity stalwarts. Automated daily backups and regular data recovery testing, automated processes, alternate accommodation & facilities and a cybersecurity incident response plan all help make sure at least basic services can continue.
So what is cybersecurity all about for hospitals? It's about extending the hospital's core mission: protect patient well-being and do no harm. If someone comes to you sick with a kidney problem, you'll be in dereliction of your Hippocratic duty to send him home with a healthy kidney but a liver you ravaged in the course of treatment. The same principle applies to cyber matters.
If a patient comes with an infection and is subjected to potentially compromised treatment or leaves with compromised ePHI, you're not providing the safe place promised by the word "hospital". From the Latin hospes, a hospital is a facility that hosts and cares for those in need. If you systematically render your patients vulnerable, you've failed right out of the gate.
As such, cybersecurity isn't an option but a necessity for hospitals. The extensive and accelerating use of interconnected medical devices means specialized tools and techniques are required, which along with basic cybersecurity hygiene, will help prevent breaches altogether.