Cybersecurity has become one of the most significant financial and reputational risks for an organization. Examples of the ever-increasing cybersecurity threats include:
More than 22 government entities in Texas, Florida, Maryland and Georgia faced ransomware recently
Louisiana declared a state of emergency after ransomware hit many schools
HHS/OCR received notification of 351 data breaches in 2018 exposing 13,020,821 healthcare records
Almost 120 million new malwares are discovered each year
Clearly, the probability of becoming victim of a cyber-incident is very high nowadays. In healthcare, an organization faces up to $400 per record of cost in managing the situation once a breach is uncovered. In fact, the average penalty to the healthcare providers has been about $2.4 million by the OCR over last 3 years.
Many organizations tend to assign cybersecurity responsibilities to a department of specialist professionals and it is tempting to focus the majority of security efforts on technology alone. This is supported by the universe of cybersecurity suppliers advocating technical products such as artificial intelligence-based intrusion detection. While these products are essential tools for basic security, they cannot serve as substitutes for a holistic approach to cybersecurity that includes robust cybersecurity tools, strong governance, and broad organizational engagement. The following examples should help make the case.
A potential breach caused by workarounds due to medical device security risks
The Veterans Affairs Office of Inspector General (OIG) found medical device security risks at California VA Medical Center causing potential data breach impacting 133 patients. Here is how the chain of events took place as per various publications:
Many of the medical devices operate on a Windows XP operating system (OS). Microsoft has stopped supporting Windows XP, making these medical devices vulnerable to cyber-attacks. Consequently, the VA medical center decided to update the High-Resolution Esophageal Manometry (HRM) medical device computers from Windows XP to Windows 7.3. The update caused the HRM-to-EHR interfaces to stop working. The biomed and IT staff did not address the software interface issues post the OS update.
Medical devices are core to hospital operations; hence, they are part of the operational technology (OT) category. Unavailability of such OT devices is disruptive to the clinical workflows leading to inefficiencies or potential patient safety concerns. So, the GI provider at the medical center developed a workaround using non-encrypted flash drives, storage devices, laptops, and personal e-mails to transfer patient information from the facility HRM to the EHR. The provider’s communication using personal e-mails and text messages included sensitive patient data.
Additionally, the entire episode lacked communication and coordination among biomed, IT, clinicians and risk/privacy/compliance groups.
Key lessons:
Medical device (i.e. OT) cybersecurity requires special considerations. In this case, updating from Windows XP to 7.3 impacted functionality of the system with clinical implications.
Medical device (i.e. OT) cybersecurity requires cross-functional engagement with members from IT, Cybersecurity, Asset Management, Clinicians, and Risk/Compliance Management groups.
Medical device (i.e. OT) cybersecurity policy documents can serve as a guiding framework for both governance and training.
OT cybersecurity is more effective via a holistic risk-based approach that incorporates practices at device, network, processes, policies and training, and organizational culture levels requiring appropriate leadership engagement.
A ransomware involving a CT scanner due to an operational miss
In a suburban hospital, a CT scanner console wasn’t password protected. Consequently, a janitorial crew member was able to occasionally check her emails using this internet-connected console. She became a victim of a phishing attack while checking her e-mails on this console. The attack locked down the CT system with a demand for $600 of ransom. In an effort to contain proliferation risk, the CT was brought down for about 3 days costing the hospital at least $18,000. If the malware proliferated beyond this device to the broader enterprise network, it would have been both more disruptive and expensive.
Clearly, OT devices are be subject to many operational vulnerabilities – e.g. expired password in this case -- that need to be monitored. Certain security-related decisions also impact operational workflows. For example, access control becomes difficult to implement when multiple stakeholders need to have access to a device at different times for patient care. Hence, broad cross-functional engagement is essential for effective cybersecurity of OT.
Consider the following questions when developing a robust OT cybersecurity strategy:
Would my cybersecurity strategy work under a variety of risk scenarios?
Does my strategy provide full visibility to all potential cyber-related risks? What risks are implicitly assumed by exclusion in scope?
Does my strategy include the right governance and supporting processes, along with the right enabling technology?
Do I have top executive leaders engaged in the governance, resource allocation, and decision making over cybersecurity efforts?
A MediTechSafe leader can be available to discuss various approaches and to recommend a cost effective and efficient solution. It could be helpful if you are in midst of developing your OT cybersecurity strategy.
MediTechSafe has developed a proprietary solution to help healthcare providers manage their cybersecurity, medical devices and clinical networks related risks considering both IT and Operations Technology (OT) needs. If you are a healthcare provider (or a biomed services provider) interested in learning more about MediTechSafe’s solution, you could reach us at info@meditechsafe.com.