TRIMEDX Senior Vice President of Cybersecurity Scott Trevino was featured as part of the October cover story in TechNation on medical device cybersecurity landscape, increased cyberattacks, and what steps health systems should take to protect their infrastructure and patients. The full article, as it appeared Oct. 1, 2023, is below.
A review of worldwide media during any given week will reveal reports of cyberattacks on institutions of higher learning, corporations, government agencies and health care organizations.
These attacks have a financial toll and disrupt important operations within these organizations.
Recently, the University of Hawaii gave into cybercriminal demands and paid a ransom reported to be over $200,000. The hackers threatened to release private, non-public information on 28,000 current and former students and employees.
An important government website in Kenya, used by the public to access more than 5,000 government services, was hacked by cybercriminals. The website, eCitizen, is used for passport applications and renewals, issuing driver’s licenses, health records and identification cards and e-visas. The hackers claimed to have obtained passport information as a result of the incursion.
One of the concerning offshoots of this cyberattack is that an estimated 76 percent of Kenyans use mobile money. The mobile-money service M-Pesa was impacted by the attack, leaving many Kenyans unable to make payments or purchases. This is a drawback of digital currency in an age of cyberattacks and one more reason why this type of activity can harm the U.S. as the move towards a digital dollar becomes a reality.
No network is un-hackable.
While the Constitution mandates that the federal government protect U.S. borders, that protection responsibility has gained a wider scope with the advent of the Internet and cyber-criminals. There is much more traversing the border digitally.
The FDA has stated that “cybersecurity threats to the health care sector have become more frequent, more severe and more clinically impactful” and includes a cybersecurity focus during the premarket submission process for medical devices.
In addition to the cybersecurity measures exercised by the FDA, the government’s Health and Human Services (HHS) agency includes the HHS 405(d) group, which is a program started as a congressional mandate under the Cybersecurity Act of 2015 (CSA), Section 405(d).
The group’s webpage states: “The 405(d) Program is a collaborative effort between industry and the federal government to align health care industry security practices to develop consensus-based guidelines, practices and methodologies to strengthen the health care and public health (HPH) sector’s cybersecurity posture against cyber threats.”
A government-corporate collaborative is necessary to fight the organized cybercriminals and the ever-evolving approaches they develop to breach secure networks.
In health care, medical devices must be available for use. This isn’t only a major goal of every biomed department, but it is also one of the leading hazards of a cyberattack. If the attacker can knock out a device, or an entire network, they deprive clinicians of much-needed devices.
The challenge for biomeds is the same challenge for all those entrusted with a cybersecurity duty; the need for constant hyper-vigilance is essential because the bad actors never sleep.
“I think of an analogy with codebreakers and code makers. For every newly created code (i.e., digital system), there is always someone working to break the code (i.e., hack the system). It is a never-ending leapfrogging situation. There is no perfect code or cybersecurity; it is only a matter of time and ingenuity before a new hack or new security solution is created,” says Scott Trevino, senior vice president of cybersecurity at TRIMEDX.
He says that this is why it is critical to be innovative, always learn, and stay on top of the evolution of new security solutions and techniques. It’s also important to stay aware of what the bad actors are doing, so you are ready to defend against their latest methods of attack.
“This can and should be done through a multifaceted approach including course work, certifications, conferences and continuing education. There is also value in simply being curious and reading as much as possible,” Trevino says.
Ali Youssef, director of medical device and emerging tech security for Henry Ford Health says that staying ahead of sophisticated cybercriminals requires an unrelenting commitment to continuous learning and adaptation.
He shared some key strategies:
- Pursuing ongoing technical education through certifications, conferences, training exercises and hands-on practice.
- Building connections with other cybersecurity experts to collaborate and share intelligence.
- Proactively monitoring cybercriminal forums, malware sites and threat feeds for early warnings on emerging attacks.
- Adopting an authentic lifelong learning mindset, utilizing all available resources, and establishing a strong web of professional relationships are critical to matching and exceeding the capabilities of the bad actors.
“Curiosity, vigilance and collaboration are the best defense,” Youssef adds. The need for cooperation and information sharing among those in health care and beyond, as cyberthreats are discovered is one necessity in hardening the entire universe of vulnerable networks.
“The unique challenge in cybersecurity is how quickly things can evolve and change, often faster than formal educational programs can catch up. Therefore, networking across the industry and developing relationships with peers in other organizations and building partnerships with vendors and government agencies is crucial,” says Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, chief security strategist at MedCrypt.
This effort to collaborate and share information needs to occur expeditiously.
“Breaches have traditionally been detected after some damage is done. At that point, efforts are largely focused on limiting the scope of damage, restoring normal operations, reporting to government and affected parties, and taking steps to stop future compromises of this type,” says Stephen L. Grimes, FACCE, FHIMSS, FAIMBE, AAMIF, principal consultant, Strategic Healthcare Technology Associates LLC in Swampscott, Massachusetts.
He says that there are public and private organizations designed to rapidly share known vulnerabilities and their mitigations among industry members in order to help others avoid the same compromises.
“There have also been improvements in safeguards that can more quickly detect attempted compromises, prevent and limit the effects of the compromise. It is a continually evolving process and requires on-going attention,” Grimes says.
In 2021, Grimes and Wirth wrote an article titled: “The Case for Medical Device Cybersecurity Hygiene Practices for Frontline Personnel,” which was published in AAMI’s BI&T publication and was recognized with the best article award from AAMI that year. The article presented 20 best cyber-hygiene practices for clinicians and tech support. It is available at https://array.aami.org/doi/10.2345/0899-8205-55.3.96.
Real Measures for Biomeds
Grimes says that biomeds need to think outside the box and consider the larger universe of vulnerable devices around them.
“The first thing to recognize is that, while networked devices may be particularly vulnerable to cyber compromises, cyber-vulnerable devices are not limited to only those on networks. The fact is that any device that has a microprocessor or that can execute commands in software/firmware is vulnerable,” he says.
Grimes says that it is critical for members of the HTM community to familiarize themselves with cybersecurity and consider the implications that cybersecurity compromises can have on their organizations in regard to the delivery of safe and effective care. Familiarization may take the form of courses offered by AAMI and other expert sources. It may also involve searching literature and reading articles related to medical device security.
“Simultaneously, HTM staff should be going through their inventories and identifying all devices and systems that are microprocessor or software/firmware-based. This inventory examination will help HTM staff to focus their risk analysis and mitigation efforts in a manner that prioritizes and first addresses issues that may have the greatest impact,” he adds.
Trevino points out that close collaboration with the IT department is key and sorting out responsibilities is important.
“Too often, health systems are especially vulnerable to cyberthreats because of siloed IT and biomedical equipment technician teams. IT teams have the cybersecurity expertise but often don’t deal with the medical devices every day. Biomed teams know the medical devices but may lack cybersecurity knowledge. In this increasingly connected world, the two teams need to share expertise and work together to develop a strategy and plan of action for medical device cybersecurity,” he says.
Trevino says to clearly establish roles and responsibilities, a health system should put together a well-defined Responsible, Accountable, Consulted and Informed (RACI) chart. This responsibility matrix should be designed to help clarify roles and responsibilities across departments.
“When implementing their cybersecurity strategy, health systems should also be sure to use proper technology to improve efficiency, accuracy and reproducibility of processes,” he adds.
Wirth agrees that the two departments need to have a good relationship.
“HTM and IT have to have a good working relationship as often issues need to be addressed that go further than just the network plug in the wall — responding to a cybersecurity incident would be one example,” he says.
Youssef says that there are three basic steps that are great starting points for biomeds seeking to harden their systems:
- Deploy/use a medical device security management tool to quickly identify network anomalies, and hone in on vulnerabilities with connected medical devices.
- Enforce strong access controls to limit access to biomed systems and data to only authorized users.
- Provide cybersecurity awareness training to biomed staff on things like phishing, strong passwords, social engineering, etcetera.
Wirth points out that best practices should be implemented in securing wireless networks.
“Wireless networks require special attention to assure that they meet the desired level of security. They are not inherently insecure but there are many opportunities to mis-configure or mis-design a wireless connection or infrastructure. Hence, it is strongly advised to follow implementation best practices for medical wireless networks as they may be provided by the device manufacturer or industry organizations, such as AAMI (aami.org/medical-device-connectivity),” he says.
Shorter Distance Technologies and Concerns
The evolution of wireless technologies has resulted in smart homes, dependence on smartphones, hot spots and any number of controllers and linked devices. That potpourri of wireless devices often travels with the consumer outside the home as well and can land in the health care setting. These devices can be brought into the health care environment by clinicians who utilize their capabilities.
“Wi-Fi, Bluetooth, Zigbee, Z-wave are examples of wireless technologies that connect devices together wirelessly. By virtue of the wireless nature of their communications, devices using these technologies can potentially receive data from, and transmit data to, unintended devices and recipients. This has implications for data integrity as well as confidentiality. Effective hand-shaking between devices attempting to send or receive data wirelessly, as well as encryption of that data as it is wirelessly transmitted, are important security safeguards,” Grimes says.
Wirth says that since Bluetooth device connections are typically designed by the device manufacturer, the best an HTM can do is require proof from the manufacturer that the Bluetooth protocol is implemented securely and that known vulnerabilities and common design mistakes are mitigated.
“Some of the challenges specific to Bluetooth include: Eavesdropping — Bluetooth signals can be intercepted by third-party devices within range, allowing hackers to access sensitive information. To prevent eavesdropping, it is essential to use strong encryption when transmitting sensitive data and to disable Bluetooth when not in use,” Trevino says.
Another cybersecurity concern would be man-in-the-middle attacks.
“Bluetooth connections can be intercepted by a hacker who poses as a legitimate device to gain access to sensitive information. To prevent man-in-the-middle attacks, it’s important to verify the authenticity of devices before connecting to them. It’s also vital to use secure authentication protocols,” Trevino says.
He says another concern would be unauthorized access: Bluetooth devices can be configured to be discoverable, making them vulnerable to unauthorized access. To prevent unauthorized access, it is vital to configure devices to be non-discoverable and to use strong passwords or PINs to secure them.
“Because of the unique challenges Bluetooth devices present, it’s crucial for health systems to use the latest version of Bluetooth, update patches, use encryption, verify device authenticity and disable when not in use,” Trevino adds.
Youssef says that core recommended cybersecurity best practices include migrating all wireless traffic to using encrypted protocols such as WPA2 or WPA3, establishing unique, sophisticated passphrases, segmenting wireless networks, disabling client-to-client communication, and implementing wireless intrusion detection systems to monitor for threats.
“Additionally, biomedical engineering should ensure regular patching and upgrades to wireless infrastructure,” he adds.
The “Zero Trust” framework is an approach that makes the assumption that no device, individual or service can be trusted. Everything that is within an organization’s network, outside the network or within the near-proximity of the network presents a vulnerability.
“Supporting a Zero Trust networking architecture should be a requirement that is articulated and verified during the device purchasing process. This includes support of zero trust on the hospital network but also to any eternal network access, e.g., by the manufacturer for the purpose of remote service and maintenance,” Wirth says.
Trevino says that biomeds should work with IT and determine the current security model and collaborate to determine the best way to adhere to that model.
“It’s critical for the two teams to work together to guard against threats. If they are working under a Zero Trust model, teams should be sure to consider the seven factors of Zero Trust: workforce security, device security, workload security, network security, data security, visibility and analytics, automation and orchestration,” he says.
Grimes says that HTM professionals need to be familiar with medical device cybersecurity best practices and consider those practices during acquisition, installation/configuration, operation and disposal.
“Among these practices are guidelines from AAMI, NIST, MITRE, UL/EMERGO and other organizations. It would be useful to obtain an MDS2 (containing a description of security features and vulnerabilities) from manufacturers on each of their products, and to attempt to get devices with security certifications (e.g., UL/EMERGO, US Cyber Trust Mark),” he says.
He adds that HTM professionals need to recognize that, while manufacturers can take these steps to help facilitate the security of their devices, ultimately those devices will be placed in diverse environments which will have their own unique impact on the security of each device and that security will need to be managed by responsible individuals working on behalf of that organization.
With knowledge that can be implemented to harden the health care network surface, the insights from these experts can provide a framework for HTM’s contributions to cybersecurity. Knowledge without action is only knowledge though. Along with IT, HTM plays an important role is securing their environments from cyberthreats.