Hospitals are the number one target of cybercriminals. This isn’t exactly a newsworthy statement, or even particularly controversial. There was a 94% increase in attacks against hospitals from 2021 to 2022, with no sign of stopping in 2023. The reason hospitals experience this is twofold: low spending on security and a low tolerance for downtime.
What can hospitals do to improve their security in the face of this trend? One thing is to have healthcare technology management (HTM) teams work closer with the cybersecurity team.
HTM teams offer a unique perspective that cybersecurity professionals can and should leverage. They understand medical devices and their impact and have strong relationships with Clinicians, Patient Safety Committees, the Environment of Care (EoC) Committee, risk management, IT, Facilities, and emergency management.
Cybersecurity professionals understand CVEs and different frameworks like NIST and MITRE ATT&CK. They understand how to secure IoT devices, as well as manage NACs, data loss and intrusions, and firewalls. These two groups have different but complementary skill sets that can be used to defend healthcare organizations.
HTM and cybersecurity teams that work together tend to do so in three areas: inventory management, vulnerability management, and incident response. These may not be the only ways that HTM and cybersecurity work together, but these areas are among the most prominent and most important to start with.
Inventory Management: The First Step to Better Security
Understanding the medical device inventory and which of those are connected to other systems, to the Internet, and to Internet-facing applications is the critical first step to defending the organization. Without understanding this, it’s impossible to design an effective proactive risk management strategy.
HTM teams know what devices are being used and how, and are better suited to build the network-connected inventory of medical devices. They can leverage their strong relationships with clinicians, and they can gather information about these devices when performing preventative and corrective maintenance.
The next step of building an inventory is to pull together a full understanding of device communication patterns, i.e., network traffic flows. HTM and cybersecurity teams need to work together to collect this information. This step in inventory contextualization involves deploying a passive network monitoring solution that gathers as many parameters as possible about these connected devices. If there is any information that cannot be obtained from network traffic, then HTM performs on-site validation to uncover the missing pieces.
The third step is to populate the CMMS (computerized maintenance management system) and CMDB (configuration management database) systems with all relevant information. In general, Information Technology and cybersecurity teams want all assets documented in the CMDB to ensure timely support and manage security risks. HTM teams want all medical devices in their CMMS to ensure proper service, repair, and regulatory compliance.
Having a record of these connected devices in both the CMMS and CMDB will ensure proper documentation, timely support, maintenance, and regulatory compliance. A bidirectional sync between these two systems is crucial to ensure that all necessary stakeholders know the inventory and understand risks, and that cybersecurity doesn’t scan any medical devices. This sync needs to be automated and reflective of the reality of the network, rather than relying on manual data entry. If anything is missing, it should be collected via on-site visits.
There needs to be a risk assessment conducted on every new device when it comes into the hospital. What we see as a successful collaboration is when cybersecurity teams take the lead on this, and HTM supports cybersecurity to understand relevant clinical needs and balance security controls application. These four components of inventory management integrate the skills of HTM and cybersecurity to craft a comprehensive list of all devices in the organization.
Vulnerability Management: Resolving Cyber Risk
Vulnerability Management is a key process in defending the enterprise. Traditional methods have involved identifying every software or hardware weakness and patching everything. That method isn’t sustainable for hospitals with limited cybersecurity budgets and staffing. It is also not sustainable or cost-effective to follow a traditional approach to manage the growing fleet of medical devices in addition to advancing cyber threats and risks.
For HTM and cybersecurity to truly work together on reducing the risk of a breach, there must first be an understanding of how to gather the list of vulnerabilities. From an operational standpoint, there are scanning solutions that cybersecurity teams can use to map these weaknesses. The problem is that cybersecurity professionals aren’t always aware of the risks that scanning medical devices poses. In a worst-case scenario, a medical device stops performing its clinical function when scanned. For this reason, HTM needs to ensure that cybersecurity doesn’t cause any issues with patient care.
Following vulnerability scans, organizations need to place the results in context. Not every vulnerability is created equal. If a weakness is very hard to exploit, for example, it may not pose that much of a risk. There are software tools, such as cyber asset attack surface management, external attack surface management, and pen-testing/automated red teaming solutions, designed to judge the real risk of an attacker exploiting specific flaws. Cybersecurity teams would do well to leverage one such solution.
Further, organizations should work to understand the impact that a successful exploit could pose to the network. Frameworks like MITRE ATT&CK and the MITRE CVSS Rubric for Medical Devices can help cybersecurity teams add context around the exploitability of each weakness in the hospital’s systems and their potential impact. There were more than 20,000 vulnerabilities of all severities reported in 2022 alone according to NVD data. Prioritizing which one of those to fix and when is a key way to reduce the risk of a successful cyberattack.
Finally, HTM and cybersecurity need to work to apply mitigations at either the device or network level. It can take anywhere from three months to three years to fully implement network segmentation, which is why HTM and cybersecurity teams need to work together to determine which patches to deploy and which devices to segment. Only by collaborating can HTM and cybersecurity work to mitigate vulnerabilities.
While targeted segmentation is preferred and recommended, that is a time-consuming and resource-intensive effort. In the meantime, hospitals cannot leave cybersecurity risks unaddressed, which is why understanding the exploitability of each device and prioritizing device-level remediation is a critical step.
Incident Response: Fixing What Breaks
Even the best cybersecurity posture can experience a security incident. Responding to these events effectively requires preparation, the detection of suspicious activity, investigation, and containment or mitigation of the issue. Once the incident is contained or resolved, teams should work on root cause analysis, disaster recovery, and post-incident analysis.
Cybersecurity and HTM both have an important role to play in incident response. In the preparation phase, the teams need to determine who runs the initial investigation. They also have to craft the documentation plan for incidents, decide on communication channels, and define the escalation path as well as which other resources to loop in. HTM should include Emergency Management and EOC in this effort so that a hospital-wide incident response workflow is planned, practiced, and enforced when needed.
In terms of detecting anomalous activity, cybersecurity actively monitors the network using threat detection tools. They also use standard policies or craft custom policies that detect anomalies throughout the system. Once an alert happens, the investigation and determination of the root cause occur based on predetermined pathways for incident response. Then teams perform containment or mitigation depending on the specific situation.
During the root cause analysis phase, both cybersecurity and HTM have roles to play. Cybersecurity teams have the tools and resources to investigate root causes, mitigate network issues, and perform forensic analysis. HTM can understand patient impacts as devices get quarantined or taken offline. They can then take appropriate steps to mitigate risk.
The final stage is the recovery of affected systems. HTM must lead for medical devices here, while cybersecurity can handle many of the IoT devices. After finishing recovery, HTM and cybersecurity should also share their learnings and document them.
The Time to Act Is Now
Healthcare attacks are only increasing. Given this new reality, HTM and cybersecurity teams need to collaborate better and utilize each other’s strengths and expertise to secure hospitals. HTM understands medical devices and cybersecurity understands protecting the networks from security events and incidents. These two skill sets together can and do work hand-in-hand to proactively manage cyber threats and risks and defend HDOs. They can do this best by thoroughly planning and managing the inventory, the vulnerabilities, and incident response. Tight collaboration in these three areas can build a strong foundation when done right.