Cybersecurity Lessons Follow First Ransomware-Linked Death


October 22, 2020

170731_CybersecurityRansomware

By Gabrielle Hirneise

For the cybersecurity community, the ransomware-linked death of a patient in September was more than just a wake-up call.

“That’s keeping most of us up at night—thinking about medical devices and how we can maintain them and make sure they are well protected,” said Mike Ahmad, vice president of business development at ABM Healthcare Technology Management, in an October HTM Live! webinar. “[These cybersecurity threats] affect both patients and providers. What they see from actually providing the patients with care every day is just the tip of the iceberg of this issue.”

As soon as a device is granted the ability or the software to perform functions within the healthcare industry, it is defined as a medical device. Clinicians can now even use their cell phone to diagnose and treat patients, either by processing information from other diagnostic or therapeutic devices or by attaching probes that can measure anything from internal temperature to blood type.

As the definition for a medical device broadens, so do the potential complications. In order for these devices to work together and procure useful information, they need to share the same infrastructure.

“It’s not just an electronic device anymore. Once you load the medical application software, it becomes a medical device… they pose the same threat while on the network as any other medical device does.” Ahmad said.

There are also questions about multiple device connectivity, in which several devices share the same IP address. This creates a challenge when you need to determine which device is leading to defective results. If one device is capable of surfing the web while connected to a medical device, this leaves the information associated with the medical device vulnerable to cybersecurity threats.

“We are trying to promote innovative technologies, and we want to improve the performance of the equipment, but at the same time, we have to balance that with protecting the safety of the patient and the patient’s information,” Ahmad said. 

Ahmad suggested that one important step to protect devices is to develop a streamlined onboarding process, where information is collected on the devices and software being purchased. This way, there is nothing lost in translation between the vendor and the healthcare organization. To further protect this information, Ahmad suggested maintaining a repository, where all manufacturer specifications, guidelines, and software revisions can be tracked.

By tracking this information and keeping it up to date, there will be fewer cases of software incompatibility or vulnerabilities due to out-of-date information. And when a device is no longer in use, Ahmad suggested that it be fully “decommissioned and sanitized,” to prevent the availability of sensitive data or interference from old software.

“We have to keep up with every piece of equipment that has been purchased, so we understand what are the hazards, the risks, the vulnerabilities. Cybersecurity should be considered over the equipment life cycle of the device, from the time we procure it to the time it leaves our network.”

And because so many parties are involved, there needs to be a significant level of communication between manufacturers, healthcare organizations, and IT groups. That’s where HTM professionals can use their expertise to pull together these groups together, to ensure the devices and their software are understood and well maintained.

Although no single solution has been established to handle healthcare cybersecurity threats, there are roadmaps establishing what traits you would want the ideal problem-solving framework to have. One way proposed by Ahmad is a “unified solution,” in which an automated platform manages, secures, and optimizes all information pertaining to the medical devices in question across all parties. The model would view the data on the medical device, analyze and assess its vulnerability, screen for and defend against cybersecurity threats, and optimize the data to stave off future cybersecurity threats.

Built into this model would be security information and event management (SIEM), firewalls, asset management systems, network access control (NAC), and software infrastructure. This automated platform would lower the cost associated with mediating cybersecurity threats, while also guiding more effective decision making.

“Cybersecurity is a shared responsibility among all stakeholders. It’s not just the manufacturers, it’s not just the end users, it’s not just HTM or IT—it’s all of us,” Ahmad said. “We should share the responsibility: gathering the information, sharing the information, meeting, exchanging ideas, until we come up with a plan that fits our needs, our facilities, our environment, our risk (and) our challenges.”