Cybersecurity has become one of the most significant financial and reputational risks for an organization. Examples of the ever-increasing cybersecurity threats include:
- More than 22 government entities in Texas, Florida, Maryland and Georgia faced recent ransomware attacks
- Louisiana declared a state of emergency after ransomware hit many schools
- Health & Human Services (HHS) and Office for Civil Rights (OCR) received notification of 351 data breaches in 2018 exposing 13,020,821 healthcare records
- Almost 120 million new malwares are discovered each year.
The probability of becoming victim of a cyber incident is very high nowadays. In healthcare, an organization faces up to $400 per record of cost in managing the situation once a breach is uncovered. In fact, the average penalty to the healthcare providers has been about $2.4 million by the OCR over last 3 years.
Many organizations tend to assign cybersecurity responsibilities to a department of specialist professionals and it is tempting to focus the majority of security efforts on technology alone. This is supported by the universe of cybersecurity suppliers advocating technical products such as artificial intelligence-based intrusion detection. While these products are essential tools for basic security, they cannot serve as substitutes for a holistic approach to cybersecurity that includes robust cybersecurity tools, strong governance, and broad organizational engagement. The following examples should help make the case.
A potential breach caused by workarounds due to medical device security risks
The Veterans Affairs Office of Inspector General (OIG) found medical device security risks at California VA Medical Center causing potential data breach impacting 133 patients. Here is how the chain of events took place:
Many of the medical devices operate on a Microsoft Windows XP operating system (OS). Microsoft has stopped supporting Windows XP, making these medical devices vulnerable to cyber-attacks. Consequently, the VA medical center decided to update the high-resolution esophageal manometry (HRM) medical device computers from Windows XP to Windows 7.3. The update caused the HRM-to-EHR interfaces to stop working. The biomed and IT staff did not address the software interface issues post the OS update.
Medical devices are key to hospital operations, making them part of the operational technology (OT) category. Unavailable OT devices is disruptive to the clinical workflows leading to inefficiencies or potential patient safety concerns. So, the GI provider at the medical center developed a workaround using non-encrypted flash drives, storage devices, laptops, and personal e-mails to transfer patient information from the facility HRM to the EHR. The provider’s communication using personal e-mails and text messages included sensitive patient data.
Additionally, the entire episode lacked communication and coordination among biomed, IT, clinicians and risk/privacy/compliance groups.
Key lessons include:
- Medical device (i.e. OT) cybersecurity requires special considerations. In this case, updating from Windows XP to 7.3 impacted functionality of the system with clinical implications.
- Medical device (i.e. OT) cybersecurity requires cross-functional engagement with members from IT, Cybersecurity, Asset Management, Clinicians, and Risk/Compliance Management groups.
- Medical device (i.e. OT) cybersecurity policy documents can serve as a guiding framework for both governance and training.
- OT cybersecurity is more effective via a holistic risk-based approach that incorporates practices at device, network, processes, policies and training, and organizational culture levels requiring appropriate leadership engagement.
A ransomware involving a CT scanner due to an operational miss
In a suburban hospital, a CT scanner console wasn’t password-protected. Consequently, a janitorial crew member was able to occasionally check their emails using this internet-connected console and became a victim of a phishing attack while checking e-mails on this console. The attack locked down the CT system with a demand for $600 of ransom. In an effort to contain proliferation risk, the CT was brought down for about 3 days costing the hospital at least $18,000. If the malware proliferated beyond this device to the broader enterprise network, it would have been both more disruptive and expensive.
Four questions for developing an OT cybersecurity strategy
OT devices are be subject to many operational vulnerabilities – e.g. expired password in this case — that need to be monitored. Certain security-related decisions also impact operational workflows. For example, access control becomes difficult to implement when multiple stakeholders need to have access to a device at different times for patient care. Hence, broad cross-functional engagement is essential for effective cybersecurity of OT.
Consider the following questions when developing a robust OT cybersecurity strategy:
- Would my cybersecurity strategy work under a variety of risk scenarios?
- Does my strategy provide full visibility to all potential cyber-related risks? What risks are implicitly assumed by exclusion in scope?
- Does my strategy include the right governance and supporting processes, along with the right enabling technology?
- Do I have top executive leaders engaged in the governance, resource allocation, and decision making over cybersecurity efforts?
– This article originally appeared at MediTechSafe’s Knowledge Center. MediTechSafe is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.