Cybersecurity will continue to be a pressing concern for the healthcare leaders in 2023. Journalists in both the healthcare press and technology press all anticipate that healthcare will be remain a leading targets for cyber criminals, as it provides one of the highest per-record price for stolen data.
As anyone who’s working in healthcare security know, keeping sensitive data safe requires a holistic and documented process. But all too often security teams focus a disproportionate amount of effort on information technology (IT), while overlooking the many security risks inherent in their operational technology (OT).
Understanding The Unique Security Needs of OT
Before we delve deeper into how to secure your OT, let’s first take a moment to define what is OT.
Operational technology connects and manages the infrastructure in your facility. Common types of OT in healthcare include scanners, MRI machines, ventilators, automated access control systems, and climate control systems.
Unlike information technology systems—such as workstations, servers, and PCs—OT systems have not benefited from decades of accumulated security attention. These devices are often serviced by manufacturers or local contractors, who aren’t nearly as concerned with cybersecurity as their IT counterparts.
Without the benefit of firewalls, anti-virus software, and cybersecurity training, OT device are vulnerable to catastrophic intrusion. According to a Gartner prediction, cybercriminals will learn to weaponize OT environment to harm or kill humans by 2025. That means now is the time to get proactive about OT security, before you practice integrates IoT devices and other forms of OT too deeply into your network.
Below, let’s look at some of the most common forms of OT and the security vulnerabilities they present.
Building Access Control Systems
There are many types of access control system in every single medical facility, including parking lot gates, door control systems, and systems for protecting pharmaceuticals records rooms, and other healthcare supplies.
Like other OT systems, modern building control systems span services, hardware, and software, which makes them vulnerable to attack.
There are numerous examples of this in just recent times. At the end of last year, hackers at the Black Hat conference demonstrated how to make keycards otherwise secure HID proximity cards. Similarly, hackers released 10 vulnerabilities inherent in the Linear eMerge E3 system onto the Dark web, allowing cyber criminals with modest skills to, “complete shutdown of the affected resource.”
HVAC and Climate Control Systems
In healthcare environment, where doctors are performing surgeries and other invasive procedures, climate controls can make a critical difference between a successful or unsuccessful procedure.
Despite the critical importance of these systems, they’re often overlooked. The reasons why vary from organization to organization. Some officers see HVAC systems as less a target for intrusion than other OT.
The reality is that the latest generation of smart HVAC systems are connected to the Internet, so they’re vulnerable to cyberattack like all other connected device. Cybersecurity consulting firm ForeScout Technologies found that that there are 8000 HVAC devices, mostly in healthcare and educational organizations, that are vulnerable to malware infection and cyberattack.
Security Camera Systems
Security camera systems are one of the most common physical security measures. However, since modern cameras systems have become so deeply integrated with the overall network, providers and their security teams need to pay special attention that those cameras are secured.
The list of security risks that Internet Protocol (IP) security cameras present is long. Poor camera positioning can compromise PHI by allow unauthorized personnel to view data, while hackers can target the camera system’s firmware (or weak passwords) to access all your live feeds and spy on your employees.
These scenarios are not hypothetical. Just recently, a group of hackers targeted over 150,000 security cameras at some of the world’s largest firms, including Florida healthcare network Halifax Health, simply to show how easily it could be done.
Four Steps to More Secure Operational Technology
Now that you’re away of the security risk inherent in OT, the question becomes, what should you be doing about it? The best approach is to formulate an action plan, starting with a thorough network assessment.
After you’ve cataloged your OT devices, I recommend following at the bare minimum the following steps to ensure a baseline of confidence with regards to your facility’s OT.
Vigilant Firmware Updates
In the same way that IT systems need to be patched and update, OT devices must have their basic input output system (BIOS) and firmware updated as the vendor releases new version. Firmware controls the signals that come in and out of the system, which makes it one of the first places that hackers will start an attack.
Pay Extra Attention to Foreign Hardware
In the OT industry (and the IoT in particular), new technologies are developed in developed countries, then secondary manufacturers pick up on the idea and start making cheaper versions in China or India, where it’s manufactured for a fraction of the price.
There’s a benefit to low-priced hardware, but the trade-off is that a vendor who creates cheaper devices isn’t likely to secure it like an established brand would. This leads to serious cybersecurity risk, so be careful when vetting a new hardware.
Eliminate Default Passwords
A basic but critical step to securing OT devices is to ensure that you change any administrator passwords from the default to something both secure and unique. This simple step is enormously effective at preventing hackers from using stolen credentials (or cracking software) to compromise OT devices.
Get Help from an OT Security Specialist
Don’t trust your landlord or manufacturer to secure your OT devices. To ensure each device is getting the attention it needs to be completely HIPAA and HITECH compliant, you’ll need to enlist the help of a trusted security firm with healthcare experience to regularly audit OT hardware and ensure security controls are rigorously applied.
Eric Madden is President of Astute Technology Management. For over 20 years, his team has been providing businesses in Ohio with the strategic and the technical skills necessary to achieve total IT confidence. At his core, he still considers himself the nerdy kid who got a Tandy as a gift from his father and enjoys learning about all facets of technology—especially cybersecurity—to leverage improve the lives of those around him.