At first glance, the hack of a water processing plant in Oldsmar, Florida would seem to have little to do with healthcare cybersecurity. While alarming to critical infrastructure IT professionals in every sector, it was a relatively small site and the attack was stopped before doing significant damage by an alert operator. And water treatment plant security, as important as it is, seems not directly related to healthcare cybersecurity.
But the concept of going after infrastructure that can directly affect human health is very much a subject that healthcare management should be concerned about. Malicious hackers are continuing to search for ways to “go kinetic” and have their digital efforts affect things in the real world to increase their impact and profit. And many medical devices are connected to the network and in some cases, directly to human beings, providing valuable telemetry and administering treatments. Think about the monitors, infusion pumps, and various other healthcare technology that is a routine part of the business of providing healthcare these days. There would be no greater prize for hackers looking to inflict real world pain and suffering than getting control of these devices.
Given the outsize threat these devices represent to patient safety, here some steps to take to protect your healthcare network from the “kinetic” hacker dangers:
-
Inventory: Do a complete inventory of all connected devices that aren't traditional workstations or servers. This will probably require network scans, manual exploration and doing investigations of any unidentified IP addresses. You will likely uncover some medical devices that were not cataloged before or got lost in the mix of managing your IT.
-
Assess the Risks: Rate the risk associated with each device type and tier them into categories so you can prioritize controls and protections for the devices that pose the greatest threat to patient safety.Those that simply monitor can be rated lower (though still much higher than traditional IT devices) and those that directly administer therapy or drugs in special tiers that warrant extra protection.
-
Segment Tighter: Put these sensitive devices on separate logical networks. Whenever possible, “air gap” them physically from standard administrative networks. These segments should be protected by additional protections such as firewalls, WAFs, and other controls.
-
Control Access: Limited access to these networks with whitelisting IPs, Access Control Lists, and other technology. Give special attention to third parties that might need access to them such as contractors and vendors providing support or maintenance and auto-patching and update routines. Hackers often try to come through third parties, knowing their security might not be as good as the main targets. Letting vendors come onto these networks with standard VPNs used for employee access is not recommended. Use Privileged Access Management (PAM) or Vendor Privileged Access Management (VPAM) technology to protect this access further.
-
Monitor More: Add additional monitoring and auditing capabilities to these devices and the networks they reside on. You should be able to log individual access sessions. Get as granular as you can, especially for privileged sessions. Have regular reviews of those logs and set alerts when certain thresholds or unusual access happens.
-
Update Often: Medical devices are often updated and patched less frequently by the vendors and the process is sometimes complicated or manual. For example, devices with embedded OSes might need to hage firmwares flashed. They should be part of your regular vulnerability and patch management processes and reviews.
These tips are not silver bullet to all healthcare device vulnerabilities but along with all your other preventative and detective controls, they will go a long way toward protecting your organization from kinetic cyberattacks on your medical device infrastructure.