- Legacy devices and not having an accurate understanding of current device inventory can lead to some of the more common medical device cybersecurity gaps. Healthcare organizations cannot afford to suffer from an attack that compromises connected devices, as this can lead to patient data exposure and can also create genuine patient safety issues.
Chris Reffkin, senior manager and leader of information security services in the Crowe Horwath LLP Technology Risk Consulting group recently told HealthITSecurity.com about how cybersecurity gaps begin, and what entities can do to overcome them.
The WannaCry ransomware attack, and other recent malware and ransomware attacks, highlight some of the fundamental gaps in cybersecurity and healthcare, Reffkin explained. Organizations have struggled in identifying accurate inventories in their connected devices, and understanding what needs to be patched or what needs to be rebooted in various scenarios.
For example, Microsoft released a patch several months prior to the first reported day of WannaCry ransomware.
Certain things can be prevented by putting good fundamentals in place, such as patch management and inventory awareness, Reffkin stressed.
“Organizations should be able to have the conversation of, ‘We have these systems out there, they're vulnerable, we need to patch them,’” he said. “Three months should be a sufficient amount of time to patch just in anticipation of a potential vulnerability that was called out from Microsoft.”
With medical device cybersecurity, entities really need to hone in on what they have in their inventory.
“Organizations don't know what's really plugged into their network,” Reffkin explained. “If you go to any health system and you ask them for an inventory of the medical devices, they'll likely be able to identify some, but from a reliability or authoritative standpoint, there's more often than not gaps there of understanding what is the exposure.”
Anything from an MRI machine that has daily usage to an infusion pump that is used hourly could immediately affect patient safety, he cautioned.
“There are a lot of variables that go into understanding and simply knowing what's out there from a medical device standpoint, and that was a gap that was clearly seen in the industry,” Reffkin said.
It can be difficult for healthcare organizations to remain innovative but also maintain patient data security. A billion-dollar stadium could be built on the side of a hill, Reffkin suggested. But if the necessary time, money, research, and testing were not conducted to develop a strong foundation, there is no guarantee that the foundation will not go sliding down the side of that hill.
“I don't like when people say security is a barrier,” he said. “It comes back to broad IT governance. And a lot of the things that we're talking about are part of IT 101, and Security 101 on managing a mature organization.”
“Being able to do that is going to enable an organization to be more agile in responding to innovative requests from researchers or clinicians or the university tied to a particular health system.”
When entities are able to do that, they become enablers and supporters, rather than presenting more challenges or barriers. Negative responses often arise because technological innovation can be seen as cost-prohibitive or too resource-intensive.
How training, enterprise-wide education help maintain security
Understanding the intersection of technology and patient care, especially with regard to IoT and IoMT devices is crucial for healthcare, Reffkin said.
“Entities need to know what must be done to protect their data, what their concerns about protection may be, and what their perceived risks for the organization are as well,” he stated. “Not all devices are created equal. Devices must be prioritized based upon patient safety risk and other like factors. This will help organizations get a degree or a spectrum, of a risk-ranked device asset management for all medical devices or related devices that fall under that broader bucket that were identified.”
Awareness and ownership will also be key, Reffkin added. Ownership is not always well-defined from a security standpoint. Entities need to clarify who is in charge of a device’s security, especially with those that are connected to the internet.
Training and instilling an overall security awareness is also critical for healthcare organizations.
“Security is very much all hands on deck,” he stressed. “Everybody has a role. All roles are different based upon your position within an organization.”
For example, Reffkin hypothesized that perhaps there was a device being used for treating a patient and there was a strain of malware put on the device. Would a doctor be aware of that possibility? How would she even know that was a possibility unless it had been part of the training process with that specific device?
“Thinking about those types of things in the bigger picture show that we really have to think about medical device security as not just an IT issue, but this is truly an enterprise issue that needs to be addressed,” Reffkin said.
Implementing necessary device controls will also help reduce medical device cybersecurity risk. Controls can include changing default passwords and implementing a process so that staff members who operate those systems can still easily log in. Those employees can get a password, do what they need to do, log out, and then that password is changed so an attack that leverages default passwords would not be successful.
IT governance must also exist in healthcare organizations, and it needs to be bought in from the top down, Reffkin said.
“There are so many desperate procurement channels, there's mergers and acquisition activity, there's research that can be done at academic associations,” he said. “There can be simply clinical demands from doctors on the latest and greatest technology, and there has to be support to have a mature process to go through and evaluate what all these requests and requirements entail.”
“Entities must know that all these devices that are flowing into the organization that get access to patients are in the path of the patient's care or have this patient's data,” Reffkin continued. “From there it’s necessary to understand what those risks are to the organization and know that there’s support to do the right thing as opposed to just getting the next shiny object.”