Matt Dimino, Medical Device Security Consultant with CynergisTek joins us to discuss cyber hygiene for clinical equipment and the precautions you should take while these devices are on in high demand. Matt breaks down best practices and considerations healthcare delivery organizations should undergo to improve safety and reduce the threat landscape of the medical device ecosystem during the COVID-19 emergency.
Links to stories:
You may find Matt’s related blog on practicing good cyber hygiene for medical equipment during COVID-19 at https://bit.ly/2VtG78l
You may also read Matt’s article on supporting medical equipment demands during COVID-19 at https://bit.ly/3au7C6d
Hello and welcome to CTEK Voices: The Risk Perspective. I’m your host Lauren Frickle. I’m back with Matt Dimino, Medical Device Security Consultant with CynergisTek. Matt’s considered an expert in medical device cybersecurity and risk management and today you will be discussing cyber hygiene for clinical equipment.
Hi Matt, how are you?
Hi, I’m good. Thanks for having me today.
So again, my name is Matt to me know I’m here to talk about cyber hygiene for clinical equipment more of a high-level series of statements and issues that we’re finding with a lot of devices around today’s circumstances. So, as events around the world continued change on hourly basis demand for healthcare services kind of flourish, not exactly how we would all envisioned or projected but the use of services precautions and equipment nonetheless are in high demand.
Now as the needs and uncertainties escalate so does the concept of fraud, fishing, and tremendously devious social engineering tactics. In fact, cyber-attacks have increased by 150% in the healthcare sector over the last two months as criminals seek to take advantage of system vulnerabilities during this crisis.
As CTEK continues to operate and protect our clients and customers we must bear in mind the impact these threats could have on clinical equipment. Now, these realistic threats can serve as entry points into or through our clinical technologies. Now with our guard up around people, processes, practices, places, and things we tend to be unguarded against the hidden dangers or vulnerabilities and medical devices that can be exploited.
As part of this podcast, we take a look at some basic practices and steps that you these clinicians can practice helping maintain system health and improve security. As clinicians are mostly worried about patient and safety their own safety and well-being of all. In this dialogue, we’re going to kind of focus on the basics that have vulnerabilities that can lead to different problems. Now creating a guide for a broader target audience with a wider diverse range of backgrounds education and expertise on the topic be challenging. So, I hope to find the right balance here with this podcast by addressing some simple steps and measures to make sure that you take protection mechanisms and safety for all from all security perspectives with medical devices.
Now regardless of who listens the content is easily digestible. It can be interpreted by anyone and the message can continue forward with all the stakeholders in the organization.
So, this unique time makes calls for difficult and complex solutions that exposes the healthcare industry to attacks that can compromise the confidentiality, integrity, and availability of data systems and services. As a result, stakeholder awareness is a primary goal for today’s topic, and to start things off will discuss the loss of data.
So right now, most devices are strategically placed there are counted bore their setup accurately ensuring proper workflow and you may even be using real-time location services to track these devices. As many healthcare delivery organization objectives change and adapt to accommodate COVID-19. It’s becoming more challenging to obtain the devices and clinical technologies that are necessary.
So, what is happening is most hospitals are shutting their resources to prepare and accommodate all not just those that are ill. So, ensuring proper isolation sanitization proper sanitization mechanisms and safety for all. So much of the resources are people, processes, and devices when these resources are shifted it was a door for risk that someone may not understand they may not know the new processes are the procedures there’s risks in human and operational errors and there’s risks and how devices are you to support patients in this difficult time.
But it’s comparatively easy to obtain a medical device out of a clinical department or you such as a blood pressure machine and ultrasound or an EKG and start acquiring data.
Many of our devices are connected to the network either directly or indirectly, so wireless or wired or through a piece of middleware of some sort. As these resources shift it’s becoming common practice to move medical devices that have low utilization or those from departments in the hospital that are serving less patients at the moment and place them in dedicated isolation or quarantine areas to accommodate those that might be infected.
Something we need to realize is the selected location not have the same technological capabilities as the area or the place or clinical area that the device originated from. So, this highlights several risks that can easily be mitigated if properly identified beforehand.
But first, the infrastructure may not support the device. Therefore, ensuring it can important and if they can’t you may need to find a device that can, or you may have to look at the device and how it currently operates in a different state. Maybe storing data or information locally. So, this first item of concern is data loss. So, if we’re acquiring patient information periodically, let’s say with an EKG device or a little cardio grant. The information is stored locally on the device and transmitted later this potentially creates a problem with corruption of data or a device may malfunction and render the data unusable.
It’s best practice or it’s best to look at the device and try to maintain and transmitted during or directly after an acquisition while in the determine location that way it reduces your chances of losing any data by not transmitting it appropriate time. Chances, when you’re in quarantine the processes and procedures, may not allow for the device to be moved around or move to other designated error has to transmit. So again, cases we have to hold the data locally and then transmit a later time. Especially for other locations or maybe in a mobile unit or mobile area.
Now a device is not connected to the infrastructure or move to an isolated area being updated with patches or firmware when it becomes available, leaving them pretty vulnerable. Any mobile medical device that may have a Windows operating system or device that uses a multi-purpose computer or laptop could be vulnerable if it’s in isolation for extended periods of time. With that being said if it’s not connected to the infrastructure the chances of it being attacked or infected are rather low, but when you bring that back into a normal operating environment if it wasn’t updated or if it’s not past or current then it becomes vulnerable again.
Additionally, throughput on the infrastructure is critical in maintaining the integrity of the data. Even if the infrastructure can handle the data, it doesn’t mean that it should if it can’t meet the manufacturer specifications. For instance, if multiple devices for transmitting large amounts of data on the network at the same time data may not reach its destination reliably or accurately. Now, this same topic coincides with misplaced data. What did we do with it? Do we forget to transmit our data? If you’re storing data locally and sending later there for validating the data is an important step. An example is maybe you have a mobile van or a unit you’re sending out into the community to test and take idols for physiological measurements on patients. This data will be stored within the device until network connectivity is established and can be transmitted.
So, if a user operator, forgets or overwrites the data with another patients’ information. It creates a loss of integrity and or a loss of data altogether. Now a common practice in situations will be equipment inventory is low or additional is needed is to use of rental companies. For instance, there’s a shortage of ventilators right now at numerous health care delivery organizations. One approach they may take is contacting a rental company to temporarily acquire the ventilators or patient monitors to equitably care for their patients. Many ventilators are equipped to store and transmit PHI as well as other sensitive information network configuration settings.
If your organization has chosen to acquire multiple devices, it’s extremely important to properly sanitize the media on conclusion of equipment agreement. This ensures the equipment does not have the remnants of sensitive information.
Now your clinical engineering department will likely be able to help set this up and should be able to assist with the sensation as well. Otherwise, it should be considered within the agreement.
In many organizations are buying used equipment from multiple vendors or third parties to help convert med-surg areas for pre-post out of surgery areas with monitoring and ventilators. This is a very reasonable purchase amid the crisis but keep in mind some of these devices may come with someone else’s data. They may have limited licenses and feature sets. They may come with outdated operating systems and firmware. So please advise with clinical engineering or any stakeholder for that matter to ensure that you get the correct license and firmware and up to system if possible.
Additionally, if these devices are a few revisions behind make sure there are no current vulnerabilities or at least nothing greater or riskier than what you currently have. This significantly opens the door to acts when you choose this option. Even reputable dealers or resellers are not focused on cybersecurity efforts. So, you usually end up with older revisions and firmware which are easier to acquire and cost-effective and we repurpose them to sell.
Now in an attempt to overcome the overwhelming need for specific classes. It is not safe to use old outdated pieces of equipment that may have software vulnerabilities. In an attempt to round up devices from a separate site, we tend to use devices that are in storage in some cases. These aren’t always adequate and it’s because of the inability but because the system may not have been patched or updated in a long time and we might not even have the proper compensating controls that can provide layer of security for this device. Now not all devices will be affected will find more prominent and multi-use workstations and computers and things like that that are connected to the hospital network.
But for the most part you to check with clinical engineering and any other stakeholders that maybe knowledge from the still moving to verify that. Another key ability here that is to pay attention to is ensuring accurate inventory of these clinical assets. So, clinical engineering should maintain this information, but they should also be able to help determine asset utilization and where assets may be located that can be repurposed. They’ll be able to determine the true function of the device and how they can assist and place that into a specific area or isolated area. They also maintain records that way one of the events is over the device can be properly disinfected and return to the proper department. So, if your organization may use like a real-time location service, you can use that to also help locate and place devices where they once were or where we need to be.
A tremendous topic that needs to be discussed and can’t be overstressed stressed or stated is educating your users. So essentially users should be aware of what devices they are and what they’re using and how they operate but we’ve come to a world of plug and play and in many times different manufacturers, brands, models differ in how they operate and how they use, manipulate store, and transfer data.
So, therefore, it might be appropriate to designate someone for data storage or transmission in the even you cannot transmit upon acquisition. So, seeking super users or delegating responsibilities to maintain devices and/or data is critical. And invalidating your data after it has been sent is a significant step. So for instance, if you were looking at a picture archiving system or packs and we’re sending images to that pack system for radiologist to review, we may want someone right then and there to verify those images have made it to the pack system so the physician can read those images.
We also want to look at limiting the number of users and this corresponds to the previous statement on designating someone so when you have less people doing multiple jobs, you have less room for error and this holds true with clinical engineering and any stakeholder for that matter as well.
If a designated area set up for a situation, you should designate certain people for that area. So for instance, if we’re looking at clinical equipment and we want to make sure it’s running in the up is there, designating a clinical engineering person for that area might be what’s secret because they’ll have an understanding of the workflow and they’ll be able to respond to your calls your equipment downtime needs much faster and it limits the risk of infection among more people and spread their and confusion for that matter.
The other item that we want to discuss is backing up so making backups of your equipment. So, you want to ensure that Clinical Engineering Department, the Information Technology Department, IS Department all have properly backed up devices or workstations and clinical staff can ensure data integrity. Meaning that verify the data again once it’s received. Allowing or relying too much on devices can cause error so clinical engineering should properly prepare all devices before they may be depleted. If going to a separate quarantined area, you know that clinical Engineering Group should back up all systems user settings and ensure there’s common parts that may need to be replaced for some of these devices.
I discussed a little more about that in another podcast segment so looking at having adequate spare parts for a lot of these devices that going to be in these quarantine situations is critical and therefore again having backups is critical if there’s a device failure so you don’t have to start swapping devices again that may be infected.
Now, I highly advise to have a solid inventory of all your devices in your departments, especially those caring for COVID-19 patients. Now, my request isn’t limited to standard medical equipment. My request is knowing if you have smart devices and voice assistants located within these areas. Something like an Alexa or a Google Home. These devices are always listening. They even though they have required activation phrases these devices can easily capture, record, and transmit sensitive information, but may have been discussed between clinicians’ caregivers’ patients and staff.
These devices can easily be solicited accidentally and therefore capture again those conversations that weren’t intended to and if they’re needed it’s really advisable to just remove them.
Another item is watching for theft of devices and data. So, when you’re outside your normal security controls, it’s important to recognize the potential for theft. It’s unfortunate, but it happens and with desperate times calls for desperate measures for many. So, with so much tech and so many gadgets that we see they’re becoming smaller and more portable and it’s becoming extremely easy to just swipe something that may contain protected health information or even something that may be dirty and infected with the Coronavirus.
So, turn devices that are mobile or portable are securely locked they’re fastened to an IV pole when possible. Now IV poles are usually easily accessible but maybe not so during this time so maybe your clinical engineering or information technology department gets crafty with providing different locking mechanisms, cable ties. You know, there’s a wide range and list of things that could probably do to help to try and maintain that physical security. Now cameras may not be installed also in the segregated locations. So, therefore, it may require the presence of law enforcement or security or finding your mobile cameras to set up to be able to monitor and watch for any theft or issues that may arise.
Now knowing your policies is very important. So, we want users and clinician staff to report suspicious emails and behaviors to supervisors.
This is also part of educating our users, you know, your organization’s mission, your values, policies, and procedures. They’re put in a place to assist the workforce and making appropriate decisions in this time of crisis judgment may be impaired but knowing the foundation of the organization and what it stands for can significantly poor judgment and moral-ethical decisions.
So, in this case sure employees are following their playbook. If you don’t have one, it’s never too late to create one and furthermore the outcome of all this should provide for discussions on lessons learned knowing what went right what went wrong and having that be able to fix for something like this in the future.
I want to kind of look at that at trust but verify model, double-checking your settings on all your clinical equipment when operating devices outside the norm It’s important to double-check settings and parameters. If they need to be configured these devices should go through maybe clinical engineering or IT first. If they don’t require any special configuration settings may be from the network or an operations standpoint, but maybe they’re need user settings or patient settings. The users should always double-check these settings.
Since operating outside the norm, the protection mechanisms may not be in place prohibit the use of specific or special settings like maybe drug libraries and things like that. Now device settings used in normal clinical environment may not be necessary or applicable in a temporary setting like what we may be deployed in right now in your organization.
If you’re moving to an off-site separate clinic or facility and you’re taking care of these patients the frivolous features that are coupled with a lot of these devices just may not be necessary and should be turned off if they’re not needed.
What this means is feature sets like Wireless and Bluetooth should be turned off if the device is not need them and if you have chosen to move the devices to a separate or on clinical area or just an area where the device is not intended or really designed to be in.
Recently a set of cybersecurity flaws was found in a range of medical devices with Bluetooth low energy, which could allow a hacker to remotely crash device or access its data. So according to a recent folder from the FDA the BLE or Bluetooth Low Energy is used to pair and exchange data between two devices to perform specific functions and even preserve battery life. But research has discovered a vulnerability and that vulnerability could allow an attacker to remotely crash the device, stop its function, or access functions typically not or only available on with an authorized user. And information is publicly available so these exploits could be put on these devices and could be put these devices at high risk. Now, these exploits can be performed within radio connection distance there for someone near a window or locations just outside the building, the floor, or the lobby, whatever it might be, has the potential to exploit this vulnerability.
Now with that being said the and Drug Administration or the FDA has issued a guidance to provide a policy to help expand the availability and capability of non-invasive remote monitoring devices to facilitate patient monitoring while reducing patient and healthcare provider contact during this COVID-19 pandemic.
Now, this policy is intended to remain in effect only for the duration of this emergency, but we’ll just state is these enforcement policies describe guidance to apply the following non-invasive remote monitoring devices that measure certain physiological parameters that during this crisis. So, what they’re saying is that you can use some of these wireless features of these Bluetooth features to maintain a safe distance from some of these patients it often kind of correlates through also at-home devices.
So maybe some home devices have a monitor on the and to be able to remotely view that it has to make a connection through a network. So, these guidance are temporarily allowing for that potential to see the patient vital signs from again a remote location or a separate distance from that patient through reduced contact.
Now again, the FDA that the healthcare organizations can leverage the use of these current non-invasive patient modern devices if they have these feature sets or allowing manufacturers to change or modify these without going back to through 510K clearance on them. So anyone who chooses to use these features should be cautious and understand the risks and within that document, the FDA has a list of these devices and they include clinical electronic thermometers, electrograph cardiac monitors, electrocardiograph software for over-the-counter use, pulse oximetry, non-invasive blood pressure, respiratory rate or breathing frequency, and electronic stethoscope.
So, with that, the goal is for everyone to be safe. We want everyone to be aware of what is happening. We all know what’s going on and we have our concerns and therefore I’m just trying to make everyone I request everyone be vigilant and this time with these devices.
So before making decisions, you include all stakeholders. Make sure everyone is aware of the risks and that all persons and parties are trained or go through sort of training and understand the roles and responsibilities. If I understand the risks and we evaluate our actions and we use good judgment will be able to stay safe both from the Coronavirus and any potential security threat.
Awesome and great thank you so much, Matt for that information!
A reminder to our listeners all of our podcasts and related topics such as blogs and white papers can be found on our website. Please visit www.CynergisTek.com. Thanks again for listening and thanks to Matt for joining us.