Call it a meeting of the minds. Six of the biggest names in medical device security—Axel Wirth, chief security strategist at MedCrypt; Leon Lerman, co-founder and CEO of Cynerio; Scott Trevino, senior vice president, cybersecurity at TRIMEDX; Christopher Gates, director of product security at Velentium; Scott Nudelman, vice president of support operations and cybersecurity officer at InterMed; and Motti Sorani, chief technology officer at CyberMDX—sit down with 24×7 to discuss the recent surge of healthcare-related cyberattacks and what healthcare technology management (HTM) professionals can do to thwart them.
24×7 Magazine: Healthcare cyberattacks are rising rapidly. What do you think is behind this increase?
Axel Wirth: Hospital systems have regularly ranked as top targets for cyberattacks for a variety of reasons at various points of the value chain, due largely in part to its relatively vulnerable systems; increasing connectivity; and ransomware threats; availability of large amounts of data making it a rich target; and remote workers and remote patients. The infrastructure and systems that support the delivery of care are often, from a software perspective, deemed to be out of date. However, since they remain clinically relevant and support ongoing clinical operations, the incentive to update software (or replace systems if they are no longer updateable) is not necessarily aligned with healthcare’s core purpose of delivering patient care.
In addition to the prevalence of out-of-date and legacy devices, the healthcare IT infrastructure is notoriously complex and includes a wide variety of device types from different vendors and with different security maturity, which makes maintaining a consistent security posture quite challenging.
Motti Sorani: Hackers are looking for targets where the [return on investment] for their time will be the greatest, and unfortunately for healthcare the ROI for hackers is very high. The first reason is the likelihood of a payout. The second major factor is that healthcare delivery organizations are dealing with multiple problems at once.
For many years, the growing need for cybersecurity was largely overlooked. Medical devices were designed without security in mind and hospitals purchased and integrated devices without implementing any proper cybersecurity. The result is that, today, healthcare is in a precarious position, working to correct their mistakes and retrofit their existing devices with advanced cybersecurity, while simultaneously having to account for the new issues arising from the rapid digitization of their networks.
Scott Trevino: Healthcare is an industry with a lot of vulnerability points—from PCs, to laptops, to tablets, to medical devices, which are increasingly being connected to hospital networks. The coronavirus pandemic has added further stress to these vulnerability points. Fatigued healthcare workers are more apt to succumb to phishing attempts. And IT teams face heightened challenges with an increasingly remote workforce. Medical devices are being deployed to different floors, different hospitals, and even makeshift treatment centers as health professionals grapple with the surge of coronavirus patients that is affecting care at every level.
Christopher Gates: The rise of connected devices over the past two decades, in traditional as well as at-home healthcare settings, was not accompanied by a commensurate concern for cybersecurity. So that has contributed mightily to an exponential increase in attack surface and exploitable vulnerabilities.
Of course, the pandemic accelerated that trend, doubling down on what we might call a ‘pre-existing condition of extreme vulnerability.’ For comparison, during the past two years have other embedded devices, such as ATMs or slot machines, seen a similar increase? No. So the real reason for the healthcare cyberattack rise is nothing new. It’s simply bad actors going after easy targets—targets that have chosen, by and large, not to invest in cybersecurity despite having numerous warnings and examples of how much is at stake.
Scott Nudelman: The healthcare industry is starting to be viewed as an easy target for cyberattacks. Many smaller facilities and rural health facilities have smaller IT/information security departments, or no IT team at all. This is compounded by the fact that most medical devices in use today were not designed with cybersecurity in mind. There are many devices still running on older operating system (OS) version, leaving them vulnerable for attacks. Plus, OEMs are generally behind on releasing and approving patches—and sometimes do not approve them at all.
Leon Lerman: Medical records contain far more information than just health data, including personally identifiable information that is extremely lucrative for identity theft, such as patient addresses, Social Security numbers, bank account information, and more. Now, with thousands of vulnerable medical devices connected to the average healthcare network and their patients, hospitals have become a target with higher potential rewards for attackers and even more serious consequences for hospitals.
24×7: What are some key steps hospitals and other healthcare facilities should take to prioritize medical device cybersecurity, in particular?
Nudelman: Hospitals should take these five steps:
- Include the HTM department in their cybersecurity planning. After all, the HTM team has the most knowledge of the medical devices and the ability to support any mitigation efforts required to reduce vulnerability risk.
- Have a complete medical device inventory of connected/connectable devices that includes [media access control address], OS, IP address, [Dynamic Host Configuration Protocol] or Static, connection type, encryption, and other key network data.
- Deploy passive scanning software. Most IT department already have some type of active scanning in place. However, medical devices cannot be actively scanned, leaving the risk unknown. Passive scanning listens to the network traffic and looks for anomalistic behaviors. An example can be a medical device using more network resources then normal. Passive scanning would see this and create an alert.
- Build and prioritize a risk mitigation plan. The data you receive from the passive scanning software can give each device a risk score and identify vulnerabilities. Using this data will help you prioritize your plan. As the plan is implemented, the overall risk to the facility will be lower.
- Start small and create a process for all new devices coming into the facility. During the acquisition phase make sure the device meets your organization cyber policy. During the incoming inspection, make sure you collect the network data and store it in your CMMS.
Gates: The simplest and most important step, which any healthcare delivery organization (HDO) could take no matter its resources, is to consider cybersecurity along two axes: First, during the device procurement process, ask for a [Manufacturer Disclosure Statement for Medical Device Security] (MDS2) and a software bill of materials, or SBOM, for the device being advertised. Is the medical device manufacturer able to provide those documents? This step alone can provide significant insight into the security culture (or lack thereof) of the device manufacturer.
Finally, HDOs must let go of the unrealistic practice of relying on the same medical device for 15 or 20 years. At the rate of innovation, there is just no way to securely maintain a system for that long. We don’t expect consumer devices, like cell phones and personal computers, to remain reliable and secure for anywhere near that long. We’ve got to stop pretending that medical devices are somehow an exception.
Lerman: There are many steps hospitals and other healthcare facilities should take to prioritize cybersecurity, and it is long past time to go beyond inventory and risk visibility. Simple detection of vulnerabilities is no longer good enough, not when there are solutions available that can address and mitigate the risks and attacks on connected medical devices. Security for these devices needs to incorporate best practices for risk identification and remediation—which includes updating software regularly; identifying, monitoring, and segmenting connected medical devices; developing an incident response plan; and increasing security education to all employees and stakeholders.
Sorani: One of the key steps that HDOs must take is adopting what’s called a ‘zero-trust’ mindset, which dictates that no device or person is considered secure, and every access or interaction needs to be verified. Applying the zero-trust model requires identifying each device, user, or resource; authenticating them to the corporate network; and granting them the minimal access they need to function, based on a trust policy defined especially for them.
When it comes to unmanaged devices, such as connected medical or IoT devices, zero-trust usually translates to implementing contextual micro-segmentation of internal networks. This requires strong identification of devices and fine-tuned allow-list policies that enable access to/from their legitimate ecosystem, excluding all other interactions. More simply, segmenting the network so that users only have access to what they need to do their jobs.
Trevino: Health systems also need to get on the same page as far as who has responsibility for what. As medical devices increasingly became connected to the internet, oversight became a bit of a gray area. Is it the clinical engineering team’s responsibility? The IT team’s responsibility? A third-party? Those lines of responsibility need to be mapped out so that they are well-known and clearly understood.
Wirth: Hospitals are in a unique position of having to consume technical security debt from devices/systems but have limited technical means to manage this risk. With tech, there will always be unknowns and there will always be weaknesses. The best systems are those which do not rely on the user as the detection, and more importantly in patient care, the efficacy of a device.
I strongly believe that healthcare systems must be intentional in choosing to connect devices/systems in their infrastructure and, where possible, prioritize security as a decision-criteria for implementing a system. This burden does not need to be managed by them in isolation, but instead should be validated through regulatory transparency with regards to the assessment of cybersecurity posture for devices under review and already operating in the field.
24×7: What are some of the biggest mistakes HDOs make when it comes to medical device cybersecurity?
Sorani: No cybersecurity training for staff, limited visibility into connected device inventory, and delayed or deferred patching of medical devices.
Gates: The single biggest and most common mistake is ignoring cybersecurity, thinking that an attack won’t happen to them. Several studies found that HDOs are totally unprepared for attacks. And 76% failed to secure their supply chains. Whenever I hear about some “victim” to yet another ransomware infection, all I can think about is the level of organizational denial—almost always the organization’s top decision-makers [unknowingly helped to] get the organization into that situation.
Wirth: Key mistakes include:
- Not including cybersecurity in purchasing decisions for new devices.
- Not including technical and procedural security requirements in vendor contracts.
- Having incomplete visibility of network-connected assets.
- Not including medical devices in the enterprise security risk assessment.
- Failing to implement improvements based on the risk assessment outcomes.
- Specifically, failing to identify legacy devices and failing to mitigate their unique security risks through external security measures or replacement.
Trevino: The biggest mistake is thinking cybersecurity for medical devices is akin to cybersecurity for other devices like laptops or tablets. Medical device updates aren’t pushed out without formal risk assessment and validation of the remediation by the OEM—and sometimes the OEM no longer supports the device. Clinical engineering teams sometimes have to find compensating controls when a patch or other remediation is not available—for instance, blocking access to an IP port.
Nudelman: The single biggest mistake that medical facilities make is doing nothing. After all, the cost of implementing a good cyber program is lower than dealing with a breach. Most people think the cost of a breach is what is paid in ransomware or even the remediation after a breach. What’s overlooked? The time the facility cannot function, as well as the resources needed to get back online.
Lerman: Given the increase in ransomware and cyber threats targeting the healthcare industry, hospitals and health systems must have a strong response strategy in place in the event of a cyberattack. A hospital should be able to continue operations even in the event of an attack with incident response procedures, including quarantining and segmenting infected devices. It should never be an option to cut off access to medical records or devices providing critical care to patients.
24×7: What are some new technologies that can help healthcare entities promote medical device cybersecurity?
Trevino: Factors such as 100% inventory visibility, asset service status, asset utilization, and real-time cybersecurity monitoring combined provide the foundation of a cybersecurity solution. But some advanced features can elevate your cybersecurity awareness and lifecycle decision-making, such as real-time cybersecurity risk scores based on the medical device profile, device behavior, and the potential impact to patient safety. Other benchmark indicators on whether to replace, reallocate, upgrade, or dispose of a device based on its utilization, age, condition, repair history, and other factors are also helpful.
Gates: I could talk about technical solutions such as hardware root of trust, memory partitioning of applications, TrustZone, etc. And these are all good and necessary. But, unless the HDO places a premium on cybersecurity, we are ‘rearranging deck chairs on the Titanic,’ as the saying goes. Some vendors will make outsized claims—“Buy our product/service and you will be secure!”—but often the truth is that even in the best-case scenarios, they are selling just one or two pieces of the overall puzzle. Security is hard work. It requires all parties involved making changes.
Lerman: Zero-trust architecture provides a great framework for thinking about what will truly create an effective security strategy for medical devices. Through a zero-trust approach, hospitals can reduce the risk of ransomware by blocking unnecessary device communications, segmenting the network, hardening services running on connected devices, and quarantining infected devices.
Finally, with the proliferation of IoT and connected operational technology devices in hospitals, asset management, which is the process of creating an inventory of the devices connected to a network, is also crucial for hospitals. An asset management solution helps healthcare organizations account for all the devices on the network and can help identify risks that can leave hospitals vulnerable to attacks.
Sorani: According to CyberMDX’s research, hospitals lose track of up to 30% of their devices at any given time. Additionally, the number of connected IoT devices in medical networks is ballooning rapidly and keeping track of all these connected devices is not a job that should be performed manually. If you don’t know exactly how many devices you have and where they are, this should be the first step.
Implementing a tool that can scan your network and create an accurate inventory of all your connected devices should be the top priority. After the inventory is established, security teams can start layering and implementing more advanced security protocols to shore up their security, but it all starts with visibility. Without this most fundamental step, all the advanced security will be less effective as many devices will be unaccounted for and totally unprotected.
Nudelman: Although passive scanning has been around for a few years now, today’s technology is more advanced and detailed. Passive scanning companies not only help with alerts when there is anomalistic behavior, they also provide you with a total picture of all your IoT and IoMT devices. They systemically can give your team all the network-specific data for your CMMS. Plus, most of the passive software companies already integrate into most of the common CMMS platforms.
Wirth: The most important aspect is to start purchasing more secure devices and holding manufacturers accountable for delivering and maintaining security. From a technology perspective, there is, unfortunately, no silver bullet (is there ever?). We already mentioned common security practices, such as zero-trust, that can help, so can good ”cyber hygiene.”
But realistically, it will take many years if not a decade until we have turned over an inventory of today’s relatively insecure devices with more secure ones that improve our ability to monitor and maintain their security posture. In the meantime, so-called Passive Network Monitoring tools specific to the medical device environment have entered the market over the past few years. These tools combine features consisting of asset discovery, risk assessment, and anomaly detection and thus can not only improve an organization’s security posture but also its security management capabilities.
24×7: Why should hospitals invest in cybersecurity training for HTM professionals?
Lerman: Medical devices are often the least protected devices in a hospital, and it is the biomed staff that works with those devices every day. IT security staff doesn’t necessarily understand how to best protect those devices or know how they work, which means that biomed staff needs to take a more proactive role in securing those devices. It is going to require collaboration from both sides to get security for these devices where it needs to be. In many cases, non-security personnel can be empowered to carry more of these security tasks out with the right training.
Trevino: The No. 1 reason is because so much healthcare technology will be network-connected, whether it’s a new device or an older device that never intended to be connected now going online. Cloud-based services also will play an ever-expanding role in the administration and delivery of healthcare. And look at what’s ahead: What role the metaverse will play in healthcare is uncertain, but what is certain is that it too will be network-connected. Amid this environment of growing connectivity will be an increase in the number of cyberattacks, the number of vulnerabilities, and the sophistication of attackers.
Sorani: HTM professionals play a major role in the selection and management of health technologies that improve clinical outcomes. If cybersecurity awareness for HTM professionals is lacking, then devices that present higher cybersecurity risk could potentially be onboarded to the hospital network—and mitigating that risk becomes a significant challenge for the security teams. Hospitals are now starting to realize that if HTM professionals have strong cybersecurity awareness, the potential risk is mitigated upfront, thus reducing the likelihood of a breach.
Gates: The alternative to investing in cybersecurity training is continuing to experience attacks, with all that they entail—associated downtime, loss of revenue (including ransomware fees), and delay of treatment, thus causing harm to patients up to and including loss of life. It’s that simple.
Nudelman: More and more medical devices are connected or connectable, which is why HTM professionals are being asked to participate more in cyber- and IT-related issues. Our profession is changing, and we need to be a driver in the change.
The worst time to learn about cybersecurity is when your facility is under attack. You do not need to know all the detail of a cybersecurity expert, but you should be able to understand what your role will be in mitigation/remediation activities. Trained HTM professionals will help us understand what to look for through the entire lifecycle of a device—from equipment acquisition (MDS2 forms, connections, cyber) to the decommissioning of a device (Is there protected health information?).
Wirth: I want to make it clear that I believe user training has a place and purpose. We cannot let our people proceed in a connected world without guidance and support. However, if I can’t train an algorithm to identify a potentially malicious email, is it really fair for me to expect an employee to be able to detect that malicious email?
The reliance on technology will never go away—it has improved diagnostic capabilities; given us new treatment options; and reduced time, effort, and risk for patients. Therefore, we must make the security component of this process a positive experience for the user and/or patient, as that can mean the difference between the success or failure of a cybercriminal. More training is not the answer.
24×7: From a medical device cybersecurity perspective, what else do you want HTM professionals to know?
Gates: Include cybersecurity in your purchasing process. Buy products only from the manufacturers who prioritize cybersecurity. Insist upon MDS2s and SBOMs from MDMs. If HDOs direct their purchasing dollars toward the manufacturers that create secure medical devices, within a few years this will no longer be an issue. However, if they continue to buy the cheapest unsecured medical equipment available, they’ll continue to pay a lot more than they bargained for in the long run.
Lerman: Medical and IoT devices are arguably the weakest link for the healthcare industry in today’s current environment. This is due to many factors—including the wide variety of devices, outdated and unpatchable operating systems and firmware, the inability to be disconnected from patients and IT network infrastructures, differentiations from standard IT solutions making them unable to be secured, and the fact that connected medical devices are often developed without cybersecurity in mind. Because of these challenges, it’s even more reason for hospitals and medical facilities to take the time to invest in cybersecurity solutions and properly train staff to best protect their devices—and better protect their patients. It could make the difference between a ransomware attack that falls flat and one that cripples a hospital completely.
Wirth: Educate yourself on matters relating to cybersecurity, as appropriate for your role; practice good cyber hygiene; don’t shy away from challenging vendors; and build cybersecurity-specific relationships within your organization but also across the industry.
Nudelman: Now is the time to get involved. As an HTM professional, make sure you are working with your IT/IS teams. Ask questions to ensure that medical devices are included in the facilities plans. Take the time to ensure that you have all the data needed. If an attack like WannaCry was to happen today, would you be able to provide the number of devices at your facility that use Windows XP or 7 with a click of a button? Remember: Cybersecurity is not someone else’s job—it’s everyone’s.
Sorani: Yes, cybersecurity is the responsibility of every single hospital employee, and HTM professionals play a critical role in ensuring that cybersecurity risk is minimized by developing and implementing an effective medical device security risk management program in collaboration with their security teams.
Trevino: With cyberthreats growing exponentially, many health systems are now using a security operations center, or SOC, for their cybersecurity needs. Staffed 24×7 by a team of experts, these centers use sophisticated technology to monitor, assess, analyze, and respond to cybersecurity threats. But in a healthcare setting, SOCs don’t return full value without working in tandem with a clinical engineering services provider. CE providers can profile devices and their behavior on the health system’s network and manage their unique maintenance and update needs. This one-two punch really helps protect medical devices and patients.
Most HTM programs don’t have a Cyber program that is strictly HTM but coat tails off the it/is department’s. This details what you are doing and if f something happens how you will deal with it. it lays out your process and procedures. One of the major issues is that the CMMS database doesn’t have “Cyber” fields in it or the fields they do have are unpopulated or have bad information. If you don’t have the operating system in your database and a notice comes out you waste time running around to see what is affected. If you don’t have a phi risk assessment you don’t know what the level of Risk is for phi as well as a clinical risk. These are things you can do without an IOT.