In 2014 and 2015, the world faced a major health crisis when individuals throughout the world were being exposed to the Ebola virus. Because of the highly contagious nature of the virus, public health officials were concerned that the outbreak could quickly turn into a pandemic. When the outbreak was first discovered, there was no vaccine, and an estimated 50% of the patients perished the following exposure. Fortunately, healthcare professionals were able to save many and started developing a vaccine in case Ebola returns.
Fast forward to May 2018 and we are again hearing reports that Ebola has returned. This time, an experimental “miracle” vaccine may be ready. There are hopes the outcome will be different this time.
Shifting the Focus to Biomedical Device Health
You may ask why this introduction is a preamble to a discussion around the security of biomedical devices. First, there are several similarities between the Ebola virus and computer viruses and malware. Biomedical devices are part of the Internet of Things (IoT) family and, like humans, have little protection against a contagious agent. Once infected, a biomedical or IoT device attempts to infect other devices it comes in contact with. Given the nature of the network, this means virtually anything connected to the Internet.
Second, similar to the 2014 Ebola outbreak, there were significant outbreaks of computer viruses in August 2016 impacting biomedical and IoT devices starting with the Mirai botnet which targeted IoT devices running the Linux operating system. In 2017, the world experienced a surge in WannaCry, NotPetya, and SamSam ransomware attacks targeted the Windows operating system that also successfully infected biomedical equipment.
Third, for the 2016 and 2017 attacks, there was no vaccine or ‘anti-virus’ available to use with the vast majority of biomedical devices. This is because many devices are too old to allow the operating systems to be patched or the systems were not designed to accept third-party anti-virus software.
Fast-forward to May 2018 and we are seeing more attacks against biomedical devices. The difference, when compared to the preamble, is that biomedical equipment is no closer to that miracle vaccine.
Rethinking the Approach by Applying a Proven Framework
Clearly, the public health community didn’t let inertia and bureaucracy inhibit the pursuit of an Ebola vaccine after the 2014 outbreak was contained. Just as with Ebola, the healthcare community should use the Mirai botnet as well as the WannaCry, NotPetya, and SamSam ransomware attacks as wakeup calls to address the fundamental security issues with biomedical devices. The fundamentals of securing biomedical devices are the same as more traditional information technology systems, and the NIST Cyber Security Framework (CSF) is a great foundation.
The first objective of the CSF is to identify and track all assets. Since biomedical devices are often assigned to departments rather than individuals, healthcare organizations face many challenges maintaining an accurate inventory. Even those that do maintain an accurate inventory in their computerized maintenance management systems (CMMS) often lack relevant data that limits the CMMS’s usefulness. Shortfalls include knowing which devices can store patient data, which devices have the latest patch, and which devices have known vulnerabilities. Addressing this issue is a management challenge, as resources are needed to gather the data and apply the framework to determine the appropriate risk levels. There are emerging tools that can help automate this process.
After identifying the assets, the second CSF objective is to protect those assets from threats. Protecting devices from physical threats is primarily accomplished through workforce awareness on where to store devices when not in use. For example, it is rarely acceptable to charge unused equipment in public waiting rooms, especially when powered on and logged in. Protecting devices also means implementing passwords and changing default passwords. To address vulnerabilities from the network side, the use of restricted sub-nets (vLANS) or access control lists can provide compensating controls. Limiting or blocking all inbound and outbound traffic to the Internet for many devices is also good practice.
The third objective of the CSF is to detect attacks. This can be accomplished by monitoring traffic on the dedicated sub-nets for any anomalies. This logically requires integration of network traffic into a security information and event management (SIEM) tool that can alert staff of unusual behavior. In order to detect physical threats, the use of radio frequency identification (RFID) or Bluetooth Low Energy (BLE) tags along with geo-fencing can alert the staff of unauthorized movement.
Responding to an attack is the fourth objective of the CSF and requires integrating biomedical staff operations with the network operations center, protective services (e.g., uniformed guards), and clinical staff. Coordinating this multi-disciplinary response is the responsibility of the CISO and compliance team. The primary task will be to isolate any impacted devices through network isolation, then quarantine devices suspected of having the same vulnerabilities as well as those on the same subnet. Remediation will take time, but the work is not done as all systems will need to be monitored closely to prevent a subsequent outbreak.
Finally, healthcare organizations will need to recover from any attack to meet the CSF’s fifth objective. Reimaging a biomedical device following a virus, malware, or remote compromise can be very complex and in certain instances, may require field support from the manufacturer. No recovery is complete without a root cause analysis to identify and remediate the vulnerability that allowed the successful attack in the first place. The final step is to complete the after-action report which identifies and ranks the risks, and then assigns actions to remediate those risks. This report should be reviewed by the senior compliance official and preserved for a minimum of six years.
Quickly Assess the Health of a Biomedical Security and Compliance Program
Just as public health authorities are monitoring for the next Ebola outbreak, healthcare executives need a quick way to evaluate the effectiveness of their biomedical device security and compliance program. Fortunately, some of the highest risk areas can be identified with four simple questions:
- What are the last twenty-five biomedical devices that have been added to the “Could Not Locate (CNL)” list?
- Which of those devices on the CNL list store Protected Health Information (PHI)?
- Of the missing devices with PHI, how many of those instances have been reported to the Office for Civil Rights (OCR) as a breach of PHI?
- For all remaining devices, what percentage have technical vulnerabilities that cannot be remediated?
These four questions will provide insight into biomedical devices’ four common high-risk areas.