By Ted Hood and James Ferris / Special to Healthcare Facilities Today

Most cybersecurity experts agree that cyber attacks — whether ransomware, the theft of information, equipment sabotage, or some combination — are a matter of “when,” not “if.” Healthcare compliance platform provider Protenus reports that one healthcare breach per day has occurred since 2016. Yet many organizations remain underprepared.

For a healthcare organization, “defense in depth” needs to consist of a well-built physical environment reinforced by a well-designed security infrastructure. Here are considerations.

Context

With the convenience of online monitoring comes the exposure from multiple access points. Designers are wise to consider a full range of issues, from internet-enabled medical equipment itself, to the infrastructure in the built environment—and how IT, facilities, and security teams will need to interact around it all.

Connectivity is a vulnerability.  Consider all the places in the design where network connectivity is possible, with or without remote access. Every chance to connect creates an opening that could result in a potential cybersecurity breach.

Evaluating breach potential.  As the world becomes more connected through the internet of things (IoT), many more infrastructure points weaken cyber defenses.  For example, is the building control system on the same network as the day-to-day office computers and software? Or does it have a separate network?  Most IoT components and mobile apps are built for convenience and speed-to-market — not security.  Designers need to ask if every piece of equipment that can be on the network/available to the cloud actually should be, if it means potentially compromising security.

For another example, some newer medical equipment is often designed using Bluetooth as a communications protocol. Not only is it difficult to segregate and control data across shared networks; wireless protocols like Bluetooth add a layer of complexity, making it easier for “man in the middle” attacks between equipment and controller.

Vulnerability doesn’t only come from new technology. Most medical equipment is regulated by the Food and Drug Administration (FDA) regulation, which can be a long and drawn-out process. As a result, sometimes the only equipment approved to be on the market is considered antiquated by current IT standards;  it runs only on older systems that have limited security protocols.

Moreover, the maintenance agreements for various systems and platforms require remote system monitoring. That means IT and/or IT security teams need to ensure they have properly vetted the vendors performing the monitoring and maintenance.

Design with a more holistic approach. From the built-environment perspective, the main concern is that — as with devices and controllers — cybersecurity isn’t enough of a focus.  Some of these concepts relate more to network/infrastructure that IT would handle than how the building is built. Cybersecurity does play a role in the building design because of multiple networks, the separation of networks, etc.

Most facilities management and construction management teams aren’t experts in network architecture or IT, who are likewise not security experts. An additional barrier: these teams don’t regularly interact.

Healthcare systems that have found success in network monitoring tend to have stringent processes and requirements for anyone who requires an IP connection from their network. Clearly established procedures that evaluate all technologies requiring connectivity greatly minimizes network threats.

The most critical data issues

Patients’ personal information is at risk not just from the systems and equipment used to monitor and manage their health, but also from the data storage, building systems, and employee devices that could access it.

Personal information storage. As repeated attacks on healthcare systems have demonstrated, hospitals store a lot of personal information—everything from financial data to social security numbers and medical histories.

The federal HIPAA law gives providers a duty to protect this data, and to notify affected patients within 60 days. In 2013, Affinity Health Plan paid a $1.2 million fine for a HIPAA violation after it failed to erase the digital data left behind on copiers that it returned to its leasing company. Even maintenance agreements can run afoul of HIPAA when routine servicing results in patient data leaving a healthcare facility.

Not unrelated are ransomware attacks on healthcare facilities, which lock patient data and then ransom it for tens of thousands or even millions of dollars. According to Verizon, ransomware attacks have accounted for 70% of all malware attacks on healthcare systems for two years in a row. In 2019, DCH Regional Medical Center in Tuscaloosa, Northport Medical Center in Northport and Fayette Medical Center temporarily closed their facilities due to ransom attack on their system ultimately paying the hackers ransom to release data.

Building systems risks.  From a design and MEP standpoint, certain systems carry particular protective risks.  The use of an HVAC system to breach Target’s payment card system in 2014, for example, shows how vulnerable building control systems and third parties can be, as well as the extent of knowledge hackers have about such systems and vulnerabilities.

Even a locking system has security controls that track who enters and exits the building and when. Systems that are accessible from the web create a potential access risk.

BYOD.  “Bring Your Own Device” is a significant issue because it pits risk against convenience by potentially blending employee, facility, and/or patient data.  Facilities and medical personnel alike want to have certain information available on their phones, tablets, laptops, and other hardware that connects to the network.

For instance, facilities personnel need notifications of when equipment is running, etc. Providers, likewise, may want to access records/test results from their phone, or even communicate directly with their patients.   

How to ensure that the security occurs not only on the internal infrastructure, but on anyone’s device that accesses that infrastructure, becomes the question.  Mobile device management technology can segregate “work” from “personal” data and can help to prevent malicious attacks, but alone, it is not a panacea.  Secure text messaging can ensure that any communication with or about patients meet HIPAA standards.

Keep in mind that infrastructure increasingly includes cloud-based solutions, especially to store electronic medical records (EMRs). Cloud-based solutions, like any other infrastructure, need to be properly vetted.

Planning for defense in depth

Planning starts with the end result in mind, but along the way, there are other key goalposts. These include the capacity for joint decision-making across stakeholder groups, cyber risk management alongside other disaster planning, and infrastructure design that reflects both factors. 

Center solutions on the desired outcome. In planning, it is key to consider the end goal.  For example, emergency power is critical when it is needed. When connecting the PC that controls that emergency power on the web, teams might wisely ask whether this is necessary, or whether it’s enough to have access to readings on certain parameters only. The system may report a “problem” to a remote receiver, but does the nature of that problem really need to be broadcast across the network?

Every opportunity for added remote connection is also an opportunity for a security breach, so designers and planners want to consider carefully which they want to utilize.

Make IT and facilities decisions jointly. The responsibilities of the IT group/IT infrastructure and the facilities group/facilities infrastructure may mesh, creating a gray area. How do these two groups relate? Where is the boundary? And how do the two coordinate?

Few teams know how to have productive conversations around security issues. Compounding this problem: people don’t take preparedness seriously because they think it won’t happen to them, in spite of evidence to the contrary.  However, healthcare data protection regulations make it well worth discussing a strategy. Treat cyber threats just like any other hurricane/storm/natural disaster—prepare for it, plan for it, and put protective measures in place.

For example, ransomware called WannaCry crippled the entire United Kingdom National Health System, along with many others, in 2017. It exploited a hole in the hierarchy of their network and their software because of a software patch that had been available for six months, but hadn’t been updated in time.

Updating software and patching security vulnerabilities on all the PCs in a hospital reaches further than most experts realize — not just the workstations for providers and staff, but also the building control system and other infrastructure.

Decisions need to be made around maintenance schedules and protocols to ensure the installation of patches and updates when they become available.  This includes BYOD equipment. Policies can require it to be up-to-date and protected, and can additionally require a certain level of encryption, mobile device management, and/or one-way network communication. 

Manage cyber risk like any other.  Consider cyber risk and cybersecurity as part of disaster preparedness. Know where the weak links are, and explore cyber insurance as one protective measure.  Expect a certain level of security from vendors and contractors/engineers who are working with internal systems and data. For instance, contracts with third parties such as medical equipment clients should document how they handle cyber security as part of the purchase process.

In addition, a facility’s IT security team should review contracts as part of standard negotiation protocol. This may be the only way for materials management departments to fully understand the liability the contract may be asking them to assume.  Legacy vendors should be vetted on a regular basis, too. It’s easy to get into a habit of trust, especially over many years, but an older system may not meet the appropriate standards, including for monitoring.

If this is found to be the case, a facilities director can work together with the IT team to help the vendor understand security goals so that they can upgrade the system and its components.  Have drawings for an entire healthcare system, including what products it includes and if/how they connect to the internet. There may be code and logic on the computer of someone who did the programming for the building security.

All these other things are not subject to the facility’s unique cybersecurity policy, so facilities and IT people, as well as leaders, need to ensure that everyone who has access to the hospital’s network is up to the same standards.

Well-designed infrastructure. Once decisions have been made about outcomes, policies, and governance, it’s time to address actual design.

Balance efficiency against risk.   Availability of operational data is nice, but the more things connected to the network, the greater the risk.  For example, if a hospital wants to connect their generator to the web so they can see all the parameters, there are risks associated with some of the hierarchy and how it communicates. It is up to someone experienced to point out the pros and cons.

One solution is to have devices that only communicate in one direction and don’t allow anyone to write back to it. In many cases, it is possible for hospitals to make the design decisions they want and avoid putting themselves at risk, by using certain protocols.

Segregate patient and facilities data.  Many leaders segregate the medical side of a network from the facilities side. Two different network loops, with different routers and different wires, may be created.  Alternatively, some people color code wiring so that certain color wires are connected to one network or another, just to keep visual separation between the two.

Some facilities may take this concept even further by physically segregating physical networks, rather than using a virtual private network (VPN). For example, patient IoT devices may run on one network, with facilities systems on another.

Disaster preparedness and recovery plans

Ultimately, breaches start with people and affect people—so people are key in preventing and mitigating them. It starts with training, but ongoing conversations around resiliency, along with testing and reinforcement of policies and procedures, are what make all the difference. 

Prepare through people.  Infrastructure design and policy only go so far. The biggest opening/gap for loss of control and security is people. For example, people click the link in email or visit the website they shouldn’t.

Because the possibility of a breach has historically considered to be so remote, there are fewer training protocols in place for cyber attacks than there are for other types of disasters.

Instill knowledge among employees.  Knowledge is the beginning of understanding. Start by reinforcing the idea that as critical systems increasingly become reliant on networks, the risks multiply – from a data breach or ransomware attack, all the way to the risk that entire building systems can shut down.

Talk about it. Resiliency conversations need to include life safety protocols for high-risk patients. These protocols can be likened to telephone systems’ “five 9’s” reliability: 99.999% uptime, a mark that health networks should aim to hit, too.  Understand what items are a part of the network, which ones are connected, and how they connect. Know the protocols for maintenance of those items, and have a maintenance schedule to install patches and updates.  Ensure the network has a strong set of cybersecurity platforms from intrusion prevention and detection (IPS/IDS), to security information and event monitoring (SIEM), to endpoint threat detection and response (EDR) among others.

Train all employees.  An internal training program will help prepare facilities in advance and mitigate the biggest risk in most facilities—the human element.

Test and reinforce. A two-pronged approach addresses both the human and the systems vulnerabilities.  One example strategy is to send a phishing email internally. People who click the link will be subject to attend a training for a “first offense,” and there may be harsher penalties (additional training, or even termination in situations where the data is extremely sensitive).

It’s also a good idea to test the network as much as other critical systems. Because the network is becoming one of the most critical systems for communication and operations during major events, testing on a periodic basis is ideal.

Disaster preparedness nowadays is about more than fires, floods, outbreaks, or other mass casualty incidents. It now also considers cybersecurity incidents, building resiliency into both physical and cyber environments.

 Ted Hood is Associate | Senior Project Manager | Technology with TLC Engineering Solutions, Inc.  He can be reached at ted.hood@tlc-eng.com.

James D. Ferris, PE, is Chief Operating Officer with TLC Engineering Solutions.  He can be reached at james.ferris@tlc-eng.com.  www.tlc-engineers.com