We operate our businesses in a world where many of us are constantly looking over our shoulder. Threats to the security of our personal information are real and consistent. These threats need to be confronted and dealt with.
Physical security, unlike cyber security, can be actively managed to an extent. We can be aware of our surroundings, keep a lookout for threats, and confront or remove ourselves from hazardous situations.
Threats to our privacy and personal information, however, are more insidious. Many of us try to maintain a degree of information security in our lives. We protect our personal computers and other electronics from potential malware and intrusions. We make sure our personal information is protected from public scrutiny by electronic security, physical home security, or destruction as appropriate.
However, for an individual, data security is not as substantial or straightforward. There are many situations where private information is not in the hands of consumers to protect. For example, credit card information, including names, addresses and phone numbers can be compromised at the local store or gas station and can be easily sold. Similarly, so can personal credit and health information utilized by local hospitals.
Just like financial institution and e-commerce platforms, hospitals and healthcare systems must remain vigilant with proactive cybersecurity to keep patient information protected.
For the most part, American companies do a very good job of front end insulation from cyber-attacks. This is both in part for their need to protect customers, as well as their reputation and bottom line.
Complex solutions based on prudence, good judgement and technology are part of the nominal infrastructure. The time and effort in protecting the front end of our networks and systems, although not perfect, has been satisfactory. Most healthcare organizations do a good job in protection with network controls and tools, and have a highly proficient and dedicated staff on hand to research, defend. and counterattack malware and personal health information (PHI) breaches.
However, the chain is only as strong as its weakest link. Doing a good job with the connection and protection of devices in the Local Area Networks is only one part of the equation, as healthcare institutions, by design, have differing issues that need to be dealt with verses the average business.
By far, the largest group of medical device security risks are administrative and environmental.
Here are some every day situations and considerations healthcare organizations must acknowledge when proactively protecting patient information.
Facility & Data Access
The vast majority of businesses isolate their physical buildings and equipment from visitors and other non-employees. Access is very regimented and controlled.
Hospitals not only have a population of patients, but a larger number of visitors with facility access that would make most companies cringe. There is minimal access control. And, unlike many businesses, there is normally a large amount of non-employee/staff with access into the heart of the facility. This includes everyone from sales and service personnel to visiting clinical and consultant staff.
In addition to largely unregulated access to facilities, data access can be compromised through everyday activities. Disconnection, removal, and covering of accessible interface connectors on medical devices needs to be done. Visitors have been known to charge their cell phones on the front USB ports of patient monitors. If the USB still has power, then the port is most likely active, which begs the question of how accessible the data is.
Similarly, temporary storage devices used with medical devices should be provided, controlled and monitored by a structured hospital policy. Commercially available security storage devices should be obtained, inventoried and distributed to qualified employees who have need of use only. Uncontrolled management of storage devices poses a huge risk, especially if those devices walk out of the hospital at night with employees.
Additionally, some large scale medical devices are directly net connected with IP access. This can include radiologic devices and complex biomedical systems. This is requested by the vendor so they can monitor device operation and use. This is normally a low security connection, and the potential for breach is high. This problem is compounded by poor password protection, which can result in direct access by unauthorized individuals. Many facilities utilize vendor default passwords for operation, configuration and maintenance, allowing device passwords to be found in routine internet searches. A robust password policy and program can dramatically decrease any unauthorized access.
Equipment Standardization & Management
Businesses are usually able to standardize point of use electronic equipment. The number of different vendors and models is reduced. The specific requirements can nominally be handled by this rather minimal range. Employees can provide a degree of protection with individual passwords, personal ownership, and local physical security. This allows point of use, as well as, network security to be maximized with a minimal number of tools and processes.
Hospitals, on the other hand, usually have a very large range of devices from different vendors. These are needed to provide critical patient care in many areas, for maximum effectiveness and patient safety. This wide range of devices does not normally allow for individual ownership and attention. The vast number of devices makes physical security very difficult. The need for real time patient information, for both critical decision making and record implementation, requires more devices to be networked and available with personal data. Needless to say, networking a large number of disparate devices requires overcoming unique technical hurdles. This in turn increases the difficulty of cybersecurity.
Additionally, most healthcare facilities utilize a device inventory for cataloging individual device files. These files normally contain standard information on the device such as type, model, serial number, vendor, etc. To correctly deal with potential cyber threats, information needs to be added to these files, such as hardware/software/firmware revisions, associated networks and IP’s, active ports, stored and pass-through PHI, and on board security software.
Even equipment that’s not in use can present a security threat. Spare devices and secondary central monitoring stations need to be disabled and protected if not currently in use. Some nursing units have an alternate central monitor away from the primary nurse station, which, if active, could be used to disable or reconfigure alarms or download patient data. Devices not currently in use should be secured in a locked, limited access area. In addition, any small form factor devices should be attached with security hardware to prevent theft.
Equipment disposal also continues to be an issue. Data thieves routinely scour hospitals for unsecured medical records and PHI. Disposal of devices should include removal of any PHI, to the point of removing drives and disposing per hospital policy. This would require medical devices to be completely wiped whether they are being disposed of as electronic waste, trade-in equipment, or sold to third parties.
Sometimes, data breaches can happen through pure accident and ignorance. For example, using devices for other than their intended operation can be very problematic. Listening to a home made music CD on a $500,000 minimally invasive video system may be enjoyable for the staff during an operating room procedure – but what else is on the CD, and where did it come from? Without proper vetting, the CD could introduce malicious information into the system that makes it easier to access.
Maintenance and ongoing security is one way to avoid major tragedies in cybersecurity. Device security aspects should be included in a preventive maintenance and inspection schedule. Logs should be reviewed and old data purged, non-used active ports turned off if possible, and password use scrutinized. Any networked device should be compared with information in the device inventory file to ensure the data is going to where it should. Periodic overall security audits should also be completed.
For the most part, a cyber-attack will not be injurious on a physical level. Informationally, an attack can be disastrous. At the hardware level, loss of a computer or printer to malware can lead to a production stoppage, costly repairs/replacements, and rework.
Loss of PHI at the hospital level is equally disastrous for a healthcare institution. Not only can personal and financial information be disclosed, but sensitive individual health data can be exposed. But more importantly, a malware attack can affect the operation of medical devices to the point of degraded treatment efficacy and patient safety!