How to Practice Good Cyber Hygiene for Medical Equipment During COVID-19

April 22, 2020 Matt Dimino

As events around the world continue to change on an hourly basis the demands for healthcare services flourish, not exactly how anyone envisioned or projected, but the use of services, precautions, and clinical equipment nonetheless are in high demand. As the needs and uncertainties escalate so does the concept of fraud, phishing, and tremendously devious social engineering tactics, and good cyber hygiene practices should be in place. The best practices discussed here refer to the activities, settings, and considerations healthcare delivery organizations should undergo to improve safety and reduce the threat landscape of the medical device ecosystem. As CTEK continues to operate and protect our clients and customers, the potential impacts these threats could have on medical equipment must be evaluated. These realistic threats can serve as entry points into or through our clinical technologies. With focus and care around people, processes, practices, places, and things, the hidden dangers or vulnerabilities in medical devices can be easily exploited.

Although new medical device technologies have engineered great improvements in the reliability and advancement of quality care, these same advances in technology can potentially create risks leading to security-related problems that have the potential to outweigh some of the benefits. Only through the thoughtful selection, deployment, proper operation, and support of healthcare technologies and the environment, can the risk of cybersecurity failures be successfully managed. As a result, stakeholder awareness is a key goal in mitigating those risks during this epidemic and it starts with the loss of data.

What Are the Risks in Shifting Resources and Medical Devices?

Right now, most devices are strategically placed, accounted for, and setup accurately ensuring proper workflow. As many healthcare delivery organizations' objectives change and adapt to accommodate COVID-19, it is becoming more challenging to obtain the medical devices and clinical technologies that are necessary. What is happening in most hospitals is the shifting of resources to prepare and accommodate all, not just those that are ill by ensuring proper isolation, sanitization, protection mechanisms, and safety. Therefore; relating to best practices, using good judgment, and being accountable during the intense pressure placed on clinical staff is will help manage the risks and incorporate cyber hygiene. Much of these resources are people, processes, and devices. When these resources are shifted it opens the door to risk, risk that someone may not understand the new process and procedures, risks in human and operational errors, and risks in how devices are used to support patients in this difficult time.

It was comparatively easy to obtain a medical device out of a clinical department or unit, such as a blood pressure machine, an EKG, or an ultrasound and acquire data. Many of our devices are connected to the network, either directly (wireless and/or wired) or through a piece of middleware. As resource shifts occur, it is becoming common practice to move medical devices that have low utilization or those from departments in the hospital that are serving fewer patients at the moment and place them in dedicated isolation or quarantined areas to accommodate those that may be infected by COVID-19. Something that needs to be addressed is the selected location may not have the same technological capabilities as the area the device originated. This highlights several risks that can easily be mitigated if properly identified beforehand. First, the infrastructure may not support the device, therefore ensuring it can, is important, and if it can’t the device will have to store information locally. This first item of concern is the loss of data. If acquiring patient information periodically, say with an EKG device, the information is stored locally on the device and transmitted later, this potentially creates a problem with corruption of data or a device malfunction that may render the data unusable. It is best that if the device can transmit during or directly after an acquisition while in the determined location, the chances of data loss significantly diminish. Likely when in quarantine, process and procedures will not allow for the device to be moved out of this designated area into a non-designated area to transmit.

Devices not connected to the infrastructure or moved to an isolated area may not be updated with patches or firmware when it becomes available, therefore, leaving them vulnerable. Any mobile medical device that may have a Windows operating system or a device that uses a multipurpose computer or laptop could be vulnerable if it is in isolation for extended periods. If it is not connected to the infrastructure its chances of becoming attacked or infected are very low.

Additionally, throughput on the infrastructure is critical to maintaining the integrity of the data. Even if the infrastructure can handle the data, this doesn’t mean it should if it cannot meet manufacturer specifications. For instance, if multiple devices are transmitting large amounts of data on the network at the same time, data may not reach its destination reliably or accurately.

This same topic coincides with misplaced data, where did it go? Did someone forget to transmit the data? If a device is storing data locally and sending later; validating the data is an important step. An example is a mobile van or unit that is sent into the community to test and take vitals or physiologic measurements on patients, this data will be stored until network connectivity is established and can be transmitted. Forgetting, or overwriting data with other patient’s information creates a loss of integrity or lost data altogether.

What Are the Risks Associated with Acquiring Used or Rented Medical Devices?

A common practice in situations where equipment inventory is low or additional is needed is the use of rental companies. For instance, there is a shortage of ventilators right now for numerous healthcare delivery organizations. One approach they may take is contacting a rental company to temporarily acquire the ventilators or patient monitors to adequately care for their patients. Many ventilators are equipped to store and transmit PHI as well as other sensitive information such as network configuration settings. If your organization has chosen to acquire rental devices it is extremely important to properly sanitize the media upon conclusion of the equipment agreement. This ensures the equipment does not have remnants of sensitive information. The clinical engineering department will likely help set this up and should be able to assist with sanitization as well, otherwise, it should be considered within the rental agreement.

Many organizations are buying used equipment from multiple vendors or third parties to help convert medical-surgical or pre/post-surgery areas with monitoring and ventilators. This is a sensible purchase amid the crisis, but keep in mind some of these devices may come with someone else’s data, they may have limited licenses and features, and outdated operating systems and firmware. Please advise with clinical engineering to ensure you get the correct licenses and firmware and update the system if possible. Additionally, if these devices are a few revisions behind, make sure there are no current vulnerabilities or at least nothing greater or riskier than what you currently have. This significantly opens the door to cyberattacks when you choose this option. Even reputable dealers or resellers are not focused on cybersecurity efforts, and usually, older revisions and firmware are easier or more cost-effective to repurpose and resell.

In an attempt to overcome the overwhelming need for specific devices, it is not safe to use old outdated pieces of medical equipment that may have software vulnerabilities. In an attempt to round up medical devices for a separate site, there may be pressure to use the devices that are in storage. These may not be adequate not because of their inability, but because the system may never have been patched, updated, or have a compensating control that can provide a layer of security for the device. Not all old devices will be affected, multi-purpose workstations that are connected to a medical device, imaging devices, and patient monitors are more likely to be affected, buts it’s best to check with clinical engineering to verify.

Ensuring an accurate inventory of clinical assets - clinical engineering maintains this information but should be able to help determine asset utilization and where assets may be located that can be repurposed during this time. They should also maintain records that way when this event is over, the device can be properly disinfected, sanitized, and returned to the proper department.

What Are Good Cyber Hygiene Habits?

  1. Educate users – essential users should be aware of what medical devices they are using and how they operate is essential to ensure good cyber hygiene habits. Many devices have entered the world of plug and play in that many times different manufacturers, brands, and models differ in how they operate, use data, and move data. Therefore, it may be appropriate to designate someone for data storage or transmission in the event it is not transmitted upon acquisition. Seeking superusers or delegating responsibilities to maintain devices or data is critical. Validating data after it has been sent is another significant step. For instance, sending images to the PACS system for a radiologist’s review needs to be verified.
  2. Limiting the number of users is key to cyber hygiene – this corresponds to the previous statement on designating someone. When fewer people are doing multiple jobs there is less room for error. If a designated area is set up for this situation, a clinical engineering person should be designated to understand the workflow and respond to calls, this limits the potential for infection and confusion with how devices and systems are configured.
  3. Backup – make backups, ensure clinical engineering or information technology has properly backed up the medical devices and clinical staff ensures data integrity, meaning verify the data once it is received. Allowing or relying too much on the device can cause errors. Clinical engineering should properly prepare all devices before they may be deployed if going to a separate quarantined area. The clinical engineering group should back up all system and user settings and ensure they have common parts that may need to be replaced. This will be discussed more in another blog post. Having these backups is critical if there is a failure, that way the medical device can stay in the designated area and machines do not have to be swapped.
  4. Inventory – it is advised to have an accurate inventory of all devices in clinical departments to ensure good cyber hygiene, especially those caring for COVID-19 patients. This is not limited to standard medical equipment but also includes knowing if there are smart devices and voice assistants located within these areas, devices such as Alexa or Google Home. These devices are always listening, even though they have a required activation phrase, these devices can easily capture, record, and transmit sensitive information that may be discussed between clinicians, patients, and staff. These devices and easily be solicited accidentally and therefore capture conversations when they were not intended to. If they are not needed, it is advisable to remove them.
  5. Watch for theft of devices and data – when outside of normal security controls, it’s important to recognize the potential for theft. It’s unfortunate, but it happens and with desperate times it sometimes calls for desperate measures. With so many high tech, small portable devices it is extremely easy to swipe something that may contain protected health information or even something that may be dirty. Ensure devices that are mobile or portable are securely locked or fastened to an IV pole when possible. If IV poles are not easily accessible during this time, clinical engineering can get crafty with providing different locking mechanisms, or cable ties to help. Cameras may not be installed in certain locations; therefore, some areas may require the presence of law enforcement or security.
  6. Know the policies – report suspicious emails and behaviors to supervisors. This is also part of educating users, knowing the organization's mission, values, policies, and procedures. They are put in place to assist the workforce in making appropriate decisions. In a time of crisis, judgment may be impaired but knowing the foundation of the organization and what it stands for can significantly diminish poor judgment and moral and ethical decisions. In this case, ensure employees are following their playbook, if one doesn’t exist, it is never too late to create one. Furthermore, the outcome of all of this should provide for discussions on lessons learned from the COVID-19 crisis. Knowing what went right and what went wrong are important to fix for the future.
  7. Trust but verify – double-check the settings on all clinical equipment should always be a best practice for good cyber hygiene. When operating devices outside the norm, it’s important to doublecheck settings and parameters. If they need to be configured, these devices should go through clinical engineering first. If they don’t require any special configuration settings from a network or operational standpoint but need user settings or patient settings, the users should always doublecheck these settings.

Device settings used in a normal clinical environment may not be necessary or applicable in a temporary setting like what they may be deployed for an organization. If moving to an offsite, separate clinic or facility to care for COVID-19 patients, the frivolous features that are coupled to a medical device may not be necessary and should be turned off if they are not needed.

What this means is feature sets like wireless and Bluetooth should be turned off if the device does not need them and you have chosen to move these devices to a separate or non-clinical or just an area where the device was not originally designed or intended to be in.

Recently a set of cybersecurity flaws found in a range of medical devices with Bluetooth Low Energy (BLE) could allow a hacker to remotely crash a device or access its data, according to a recent alert from the Food and Drug Administration. The BLE is used to pair and exchange data between two devices. However, researchers discovered a vulnerability, labeled SweynTooth, that could allow an attacker to remotely crash the device, stop its function, or access functions typically only available to the authorized user. There are publicly available exploits that could put these devices at risk of attack. These exploits can be performed within Bluetooth radio connection distance, therefore someone near windows, locations just outside and within the building, or floor is capable of exploiting this vulnerability.

The Food and Drug Administration issued guidance to provide a policy to help expand the availability and capability of non-invasive remote monitoring devices to facilitate patient monitoring while reducing patient and healthcare provider contact and exposure to COVID-19 during this pandemic. This policy is intended to remain in effect only for the duration of the public health emergency.

The enforcement policy described in the guidance applies to the following non-invasive remote monitoring devices that measure or detect common physiological parameters and that are used to support patient monitoring during the COVID-19 public health emergency:

  • Clinical electronic thermometer
  • Electrocardiograph
  • Cardiac monitor
  • Electrocardiograph software for over the counter use
  • Pulse oximetry
  • Non-invasive blood pressure
  • Respiratory rate/breathing frequency
  • Electronic stethoscope

These non-invasive monitoring devices have the potential to be connected to a wireless network through Bluetooth, Wi-Fi, or cellular connection to transmit a patient’s measurements directly to the provider or other monitoring entities.

The Food & Drug Administration is indicating that healthcare organizations can leverage the use of current non-invasive patient monitoring devices that have these features. It is advised that anyone who chooses to use these features be cautious and understand the cybersecurity risks of these types of medical devices.

For healthcare delivery organizations these steps should be common practice every day, but in a time of critical need the basics may often be disregarded. With changes in the environment and specific caregiver needs, new cybersecurity threats and vulnerabilities can arise, therefore asking questions and working together to practice good cyber hygiene habits with medical equipment should not be overlooked.

Additional Resources

About the Author

Matt Dimino

Matt is a dedicated clinical engineer with knowledge, skills, and experience in all technological facets of healthcare. Proven experience in servicing and managing medical devices and systems, developing and teaching university courses, and medical device cybersecurity and risk management.

Follow on Linkedin More Content by Matt Dimino
Previous Article
Incident Response Survival Guidance During the Coronavirus Crisis
Incident Response Survival Guidance During the Coronavirus Crisis

There is no doubt that the U.S. is in an unprecedented time right now. As of early-March 2020, the federal ...

Next Article
COVID-19 Email Phishing Against U.S. Healthcare Providers
COVID-19 Email Phishing Against U.S. Healthcare Providers

The FBI today released a FLASH alert to U.S. healthcare providers regarding phishing attacks. The FBI was n...

×

Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Company
State
Thank You!
Error - something went wrong!