The 2016 Mirai botnet attack and the 2017 WannaCry and NotPetya ransomware attacks should have provided a wake-up call to providers that biomedical and non-IT assets are a security risk. With these increasing incidents, boards are increasing pressure on security and IT leadership to “do something.” While technology vendors are quick to offer solutions, technical solutions cannot mitigate many of the real risks. At times like this, security officials must address the management challenges starting with a risk analysis to help focus efforts.
Biomed and IoT security risks
Biomedical devices (biomed) save lives by assisting with the diagnosis, treatment, and/or monitoring of patients. Many devices are used in an acute and ambulatory setting, but many are outside of a clinical setting, such as in patients’ residences or while the patient is mobile. These devices can create, access, or store electronic Protected Health Information (ePHI). Regardless of location, providers must perform a risk analysis on all biomed devices that create, access, transmit, or store ePHI. This includes portable monitoring devices such as wearable EKG monitors.
One of the key steps when conducting a risk analysis is to identify threats to the confidentiality, integrity, or availability of ePHI. It would also be prudent to evaluate threats to patient safety, regardless of ePHI involvement at the same time. The primary threats to any network-aware biomedical device are malware, ransomware, and attackers. Devices that are not networked but still create and store ePHI are at risk of theft, loss, and unauthorized access, thus increasing the risk of a potential breach.
Biomedical devices are not the only non-IT security risks. Other network aware assets (e.g., IoT, security cameras, printers, physical access controllers, and SCADA systems) are also susceptible to hacking, malware, or ransomware.
Applying controls to biomed and IoT devices
Protecting biomedical devices and other IoT devices can fulfill the full suite of the HIPAA security rule’s requirements, or the NIST Cyber Security Framework’s administrative, physical, and technical controls. While a provider’s individual risk analysis results will vary, the threat of malware and ransomware should be near the top of the risk spectrum. Internal vulnerability scans are needed to identify technical weaknesses with biomedical and IoT devices that could allow an attacker or unauthorized third party to access ePHI, ingest malware or viruses, or be used as an unwilling host to launch attacks on other systems.
Risk mitigation options
1. Asset management
Biomedical equipment and other IoT devices can be introduced into covered entities’ environments via many paths including through formal channels (e.g. sourcing) and informal means such as equipment loans, rental, or even gratis from equipment vendors. Incomplete inventories following a merger or acquisition can also be problematic. Members of the workforce may introduce undocumented equipment such as smart coffee pots without authorization or prior to a proper security risk assessment. Security officers should first seek to identify and control all equipment so that a risk assessment can be performed. Asset management also extends to the proper disposal of equipment so that biomedical equipment and other IoT devices that store sensitive data are wiped clean.
2. Vulnerability management
Vulnerability scans are an important tool to reduce risk by validating the effectiveness of the patch management processes. While biomedical and other non-IT devices are not exempt from the negative impacts of the threats or the benefits of this control, they have often been overlooked.
Performing vulnerability scans on biomedical equipment requires more coordination than with other IT managed systems. Biomedical equipment in service providing direct patient care should never be scanned to avoid the potential for an adverse patient event.
3. Device isolation
Once devices are scanned and vulnerabilities identified, remediation through patch management is the most desired solution. If it is not possible to patch or update the operating system, it may be necessary to isolate the devices on a separate vLAN and restrict access to/from the Internet and other internal systems, except as medically necessary to perform the intended purposes.
The same principles of device isolation control can be used for IoT devices ranging from security cameras, card access, printers, SCADA systems, and even the intelligent coffeepot. Unless there is a very compelling business reason, all such devices should be segmented and protected from the rest of the network and the internet.
4. Integrate biomed into security and privacy incident process
HIPAA requires covered entities to implement a security incident procedure that assumes a breach when a device is missing, lost, or stolen. While laptops and thumb drives comprise most of the breaches reported to OCR, we must address why biomedical devices are seldom reported. Challenges include difficulties linking biomedical equipment to specific patients, lack of audit logs on what PHI is stored, and reporting delays for lost or stolen equipment. Security officers can address these issues with an awareness campaign to remind everyone to quickly report suspected security incidents. Audit trails also need to be created.
5. Physical protections
Unlike laptops, biomedical equipment is typically not assigned to a custodian. This lack of accountability delays the discovery and reporting of lost or stolen devices. To mitigate this, covered entities should leverage technologies that track devices. Clinicians in an acute setting frequently use barcode scanners to track patients and medications. The same can be used to link biomedical equipment to patients and report locations. Devices that have not been scanned recently can be flagged as potentially missing, providing the compliance and protective services teams with a smaller search window. RFID and Bluetooth Low Energy tracking systems can be used to determine the location of high-value assets in real time. This works best when geo-fencing is integrated with cameras and uniformed protective services alerting into a comprehensive incident response process.
Finally, all members of the workforce should be aware that biomedical equipment that stores ePHI should not be stored or charged in unmonitored public areas, as many legacy devices do not require a user ID or password to access sensitive data. This could result in an unauthorized access of patient data.