Cybersecurity within the Healthcare Environment

Working for a Health System and then alongside design firms has brought to my attention the need to address Cybersecurity and Risk assessments during the design phase. There are so many opportunities prior to opening the door to secure the systems that support life, infrastructure, and personal and financial data. The first step of the technology planning design process is the technology assessment phase. During this part of the project, it is important to obtain the vendor standards and the knowledge of who supports the medical equipment, software, hardware (servers, routers, switches, wireless infrastructure, etc.), and the facility infrastructure. How well a vendor supports a robust cybersecurity program should be one of the factors during the vendor selection process. Does a vendor have regular software updates and patches that are free, is the system Microsoft or Linux based, how is system administration supported, and what are the costs associated with these services should all be factors to consider. Vendors will offer SMA’s or Software Maintenance Agreements, which are expensive, only secures the system itself, and does not consider other factors. The lack of vetting of the vendor security offerings could cost a healthcare system with increased operational costs and reduced revenue due to support agreements and downtime.

Infrastructure

I define infrastructure as services that are necessary to support the medical and IT systems. These services include electricity, water, gases, heating/cooling, steam, and building automation. Without these services the subsystems would fail to operate efficiently or at all. Many of these systems are reliant on the IT infrastructure to operate, an example would be building automation. One real-world example that I experienced was a building automation device failure. This device regulated the humidity of the procedure room through a damper. This failure caused an increase in humidity within the procedure room, when I arrived the walls were literally dripping with moisture. The downstream effect was a shutdown of the imaging system, a bi-plane, and a stopping of clinical services. This bi-plane has humidity sensors within the system that when a particular humidity level is reached it will shut-down the equipment to protect it. This failure was not caused by a cybersecurity infiltration but could be used an example of a threat that possibly could happen if a threat had access to the Building Automation application. Many of these systems are IP-based, meaning the control devices have an IP and MAC address and are either located on the hospital backbone, wireless, or within a private network. Imagine if this happened on a larger scale, literally an entire facility could be shutdown, life’s endangered, revenue lost, all through an intruder having access to the building automation system. Protection of the infrastructure should be a health systems top safety concern.

Medical Equipment and Information Systems

Medical equipment can be defined as any system that supports life, provides clinical decisions, and/or treatment. Many times, the lines are blurred between what is a considered a medical device and what is considered an information system. Medical devices may be treated as an IT system if the health systems follow the vendor recommended methods to secure the device. Health Systems may deviate beyond the recommendations provided by the vendor if it does not clinically change the way a device operates and does not interrupt the clinical process. Clinical systems range in sophistication, but most can be accessed by internal/external threats. There are multiple ways for penetration into medical and IT systems and include access through their wireless and wired capabilities, Bluetooth, RS-232, and USB ports. Many systems are utilized within the patient care environment or resides on the wireless network. These wireless devices are associated with an SSID or WIFI name which can be easily viewed, and access obtained by anyone within the facility with the correct credentials. Providing a robust Risk Assessment program, a program that defines the risks associated with a system, provides remediation to resolve any risks, and accepts the risks is key to prevent a penetration of the medical device and IT systems. It is also imperative that a Business Continuity Plan and Disaster Recovery Plans are created. A Business Continuity Plan or BCP outlines how clinical or non-clinical services will be maintained during downtime. A Disaster Recovery Plan or DRP describes the steps to recover a system that is non-operational.

Steps to secure the medical devices can vary from health system to health system but some areas to include:

• Perform a risk assessment on the system prior to vendor final selections and identify internal and external threats

• Outline the security policies based on Risk assessment, vendor recommendations, regulatory, and health system requirements

• Place the system on a private network and utilize UTM’s or other methods that provide security for any access that would be necessary outside of this network

• Manage the UTM and only allow services and ports necessary for clinical use

• Assign a system administrator who will provide system security and access, this system administrator should understand the entire flow of data from the patient to the EMR

• Provide limited access to users based on needs and audit regularly

• Block any USB ports not needed

• Turn off wireless capabilities including Bluetooth if available

• Require vendor credentialing and monitor vendor access to systems

• Document system information and changes

• Create a Business Continuity Plan and a Disaster Recovery Plan

• Patch and update software on a regular basis but make sure the downtime does not affect the clinicians