Protecting Healthcare IT and OT in the Face of a Global Pandemic

By Fairuz Rafique

The ongoing Coronavirus (COVID-19) pandemic has placed immeasurable strain on the healthcare industry, demanding an “all-in” approach to empowering nurses, doctors, and all of the other heroic medical practitioners and their support staff with as many critical resources as possible. The needs for these resources span from personal protective equipment (PPE) to various medical devices, the physical space to provide care, to new technologies that help detect, prevent, track and stabilize the spread of COVID-19 infections. While medical professionals and the healthcare supply chain scramble to meet these needs, there’s a parallel and simultaneous challenge to prevent cyber criminals from disrupting daily operations, response times, and the overall unobstructed delivery of healthcare services.

As healthcare is one of the 16 critical infrastructure sectors defined by the U.S. Department of Homeland Security, we are seeing firsthand the monumental importance of a healthcare system that can respond effectively to a pandemic with global economic consequences. And as history shows, the healthcare industry is no stranger to falling victim to cybercrime. While many of these attacks go unreported, several recent cyber-attacks in healthcare have been made public:

• In 2017, the NotPetya worm disrupted pharmaceutical manufacturing facilities and other industrial facilities causing downtime and loss of revenue (Source).
• According to recent reports from Recorded Future, spear phishing campaigns have been observed in which emails are successfully branded to emulate major healthcare authorities in Ukraine, China’s Ministry of Health, the World Health Organization, Center for Disease Control and the U.S. Department of State.
• On March 14, 2020, the second largest hospital in the Czech Republic - Brno University Hospital, housing the country’s biggest COVID-19 testing labs fell prey to a cyber-attack amidst the virus outbreak, forcing it to “take its IT systems offline, cancel surgeries, and move patients to other hospitals” (Source).
• In March 2020, the U.S. National Security Council confirmed that a nation-state actor had attacked the U.S. Department of Health and Human Services. Further details were not released.

 
These recent examples illustrate traditional attacks that have been observed within the cybersecurity community over the last few years, and it’s safe to assume that numerous others have been carried out. While healthcare organizations operate at a heightened state in response to the current pandemic, some sectors within the healthcare ecosystem are also at the forefront of battling malicious activity. The remainder of this blog post will address the cybersecurity concerns pertaining to IT and OT systems found in modern hospitals and healthcare manufacturing facilities.
 
Digital Transformation & Modern Hospitals
Hospitals today are expected to boast the latest and greatest in medical technology to support their delivery of patient care. Smart medical devices with network communication capabilities (i.e. picture archiving and communication (PAC) systems -- ultrasound machines, CT and MRI scanners, portable X-Ray, etc.), electronic medical records, and data aggregators all rely on IT and OT systems for operation. These systems are required to work in tandem to ensure that hospital staff are able to safely deliver healthcare services, yet they provide cybercriminals with many layers of potential vulnerabilities to exploit in an attempt to gain unauthorized access.
 
Data Points from a 2017 U.S. Department of Health and Human Services report (Source) describe the reach of cyber-attacks on this field:

• 4 in 5 U.S. physicians have experienced some form of a cybersecurity attack
• The data breach cost per record stood the highest for healthcare records:
  • $408 per healthcare record
  • $206 per financial record
  • $170 per technology record
• In 2016, the U.S. Healthcare System lost a total of $6.2 billion from data breaches

 
Core IT networks are critical to integrating patient service delivery, and have numerous systems dedicated to patient care. Thanks to significant technological advancements, many legacy medical devices have now been replaced with their modern counterparts, however, even these modern medical devices present a variety of security issues that are also commonly present in embedded systems native to industrial control systems. These include but are not limited to:

• Weak / no credentials
• Hardcoded credentials
• Insecure configurations in embedded OS
• Security tools causing system to malfunction
• Lack of patching & vendor support

 
Regardless of whether these systems are present in a formal hospital, a hospital onboard a ship, or an emergency medical triage facility set up in a vacant warehouse, parking lot, or convention center, the consequences to a successful attack can be dire. In addition, if critical OT systems are connected insecurely to the core hospital IT network, attackers could move laterally into the OT network that houses a few critical systems underlying the hospital. For example:

• Building HVAC systems
• Lighting and energy management systems
• Fire and gas detection systems
• Surveillance systems
• Physical access control systems

Cybersecurity professionals should not ignore these OT systems as they can play an equally important role to the core hospital IT network.
 
As expected, an intermixing of IT and OT systems in these networks will yield a mix of commonly used IT protocols and unfamiliar and often insecure vendor-proprietary OT protocols. In many cases, the overall architecture of these networks have been observed to be “flat”, or rather, networks with little to no network segmentation, void of zones and conduits. Our observation working with healthcare clients has been that these networks are also relatively insecure, characterized by the following weaknesses:

• Little to no network monitoring in place
• Lack of access control
• Lack of a formal asset inventory
• Unrestricted network traffic flows
• Insecure remote access implementations

A proactive posture towards cybersecurity can go a long way in mounting an effective pandemic response. It also ensures resiliency in operations when initiating business contingency plans. Hospitals must consider the nuances of relying on numerous, highly connected IT systems, OT system, and medical devices when securing their systems. Further, security professionals must consider the fact that not every system can be updated, not every system can be patched, and there will be systems that remain insecure. The challenge of securing many of these systems will come down to a few factors that need to be considered:

• Does the system store or communicate PHI or EMRs?
• Is the systems accessible remotely and why is remote access needed?
• Does the vendor still support the system?
• How can changes in the system/network be implemented without disrupting operations?
• Are there regulatory mandates impacted by this system?

 
Pharmaceuticals & Medical Devices – Securing Manufacturing Facilities & Medical Devices
As several of the aforementioned use cases have shown, entire manufacturing facilities have come to a standstill due to cyber-attacks. And delays caused by cyber-attacks to assembly lines in the current pandemic environment can quite easily translate directly to a surge in patient casualties. Additionally, many non-healthcare companies in the manufacturing verticals are being mandated by President Trump via the Defense Production Act to shift their manufacturing operations to serve the healthcare industry instead, by manufacturing ventilators, masks, gowns and other essentials needed by healthcare professionals.
 
Many of the successful cyber-attacks on industrial facilities illustrate successful compromise affecting the facility’s programmable logic controllers, distributed control systems, safety instrumented systems, human machine interfaces (causing loss of control & loss of view), engineer/operator workstations and other systems native to OT networks. Cyber-attacks on OT networks can be propagated via a few sources:

• From unrestricted network traffic to/from the corporate IT network
• Implementation of insecure remote access often required by system vendors
• Improper and uncontrolled use of portable media

 
Equally important to the facility’s automation and safety systems are the cybersecurity attributes of the actual devices being manufactured. Embedded systems are no longer isolated and proprietary systems. Embedded medical systems are increasingly designed for additional functionalities, communication capabilities and interoperability. The FDA recently issued an advisory posted in October of 2019 (Source) disclosing the effects to many third party medical devices as a result of the ‘Urgent/11’ vulnerabilities discovered by security company Armis. The vulnerabilities primarily affected the VxWorks embedded operating system, which is ubiquitous in avionics, vehicle components, medical devices, and even as far as aerospace components onboard satellites and the Mars rover. The advisory states that manufacturers of imaging systems, infusion pumps, and anesthesia machines were affected due to the Urgent/11 vulnerabilities and if successfully exploited, could allow an attacker remote access, modification of functions, and denial of service on medical devices.
 
Where to Start:
It’s worth noting that although prioritizing the pandemic response is essential, hospitals are losing money due to having to minimize all non-critical functions and services. This shift in operation is forcing numerous hospitals to choke their primary sources of revenue, resulting in reduced pay for workers and even layoffs for some (Source). Hospitals are increasingly reserving their financial resources to sustain the urgent need at the moment: saving patients from the virus pandemic. Our interactions with past and potential clients also reflect this reality as healthcare organizations are currently refraining from IT spends that are not deemed critical to the pandemic response. And as expected, cybersecurity efforts are falling to the wayside. 
 
In closing, here are a few steps and suggestions for healthcare executives to best tread these waters with diligence and care:
1.If you don’t have cybersecurity professionals on staff, consider hiring a company to join forces with you.
2.Train your employees to be able to correctly identify spear phishing attempts (check out our blog post on this)
3.Start identifying and securing your supply chain.
 
Cybersecurity professionals with duties related to securing medical devices manufacturing facilities and hospitals can reference the following sources for guidance:

• FDA Guidance for medical device security Link
• NIST 1800-8 – Securing Wireless Infusion Pumps
• Industrial Internet Consortium - Industrial Internet Security Framework
• IEC 62443 – Link 
• NIST 800-82 – Guide to Industrial Control Systems Security