The recent Ransomware event has focused attention on the fragile state of information systems across the globe.
Unfortunately, it is not because the malicious actors are leveraging advanced technology or unique exploits. It is caused by a breakdown in the day-to-day maintenance of the information technology resources which are so inextricably linked to our everyday lives.
No individual industry is more affected by the form of malicious software (“Malware”) known as Ransomware than the healthcare industry. Healthcare is a primary “target” due to the value of the information and the ease with which it can be stolen. The recent WannaCry attack was proof that cybersecurity hygiene is still lacking across the healthcare vertical. What does this really mean? It means that healthcare delivery organizations (HDO) are especially susceptible to the threats to, and the vulnerabilities of, medical systems and devices under their purview. These systems and devices are open to a cybersecurity attack just like a banking or airline ticketing system. The difference is healthcare systems and medical devices have a direct relationship to the safety and quality of care of an HDO patient.
Consider this, a medical device is actually an information technology device. Like an ATM or a laptop, it has an operating system like Windows, it uses hardware for memory and it has a microprocessor. All of these areas present opportunities for a cybersecurity threat to exploit a vulnerability. Be assured, each of these components have vulnerabilities, some known, some unknown.
Clearwater Compliance recently partnered with the NIST National Cybersecurity Center of Excellence (NCCoE) in developing a cybersecurity draft practice guide for Securing Wireless Medical IV Infusion Pumps in HDOs. If a medical device is connected to a network, it can be exploited. Once exploited, an attacker could, potentially, manipulate dosage of a pump, export electronic protected health information, or turn the device off to name but a few. Therefore, it must be protected from cybersecurity threats to ensure it isn’t compromised and exploited. The risks to the majority of medical devices can be assessed using the Clearwater IRM|Analysis™ risk analysis software outlined in the guide. The NCCoE Practice Guide is an informative and helpful manual for the healthcare CIO and CISO on how best to secure and protect the medical device ecosystem including risk management, infrastructure architecture and compensating controls.
Analysis of the WannaCry Ransomware attack has been prolific and informative. The most significant takeaway for the healthcare industry is the majority of exploited medical systems and devices were not running an end-of-life operating system (i.e., Windows XP) but were breached because the security updates of the supported operating system (i.e., Windows 7) were not applied.
Yes, in healthcare, a Ransomware exploit may be considered a breach by HHS/OCR if electronic protected health information (ePHI) is not kept confidential, accurate or available when needed. This may require a breach notification to affected individuals and OCR. Many medical devices create, receive, maintain, store and process ePHI and are subject to the same breach notification rules as other HIPAA-regulated information systems.
It is clear that medical devices were infected by the WannaCry Ransomware, but to what extent is still something of a mystery. So, what of the impact? Given this was an attack targeting the operating system and not the application managing the medical device, it may be assumed no “safety” features of the device were compromised. However, medical device interruptions increase staffing needs, require “downtime procedures”, disrupt necessary patient care and can lead to clinical errors, among other concerns.
The lessons to be learned from this attack are straight forward and relatively simple. HDOs should have a strategy and roadmap for their cybersecurity program, test it and monitor the results. Simply throwing money at technology selections without considering people, processes and risk management will not achieve the necessary results. As the maxim goes, “Hope is not a strategy.”
Secondarily, compliance does not equate to security. This is particularly problematic in healthcare where compliance is required and security may be perceived as inclusive in compliance or even optional. Proper cybersecurity will inform and strengthen compliance while compliance will not do the same for cybersecurity.
By Rich Curtiss, Clearwater Compliance
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.