Why Healthcare Needs to Prioritize Operational Technology Security
Cybersecurity is a top-of-mind concern for organizations in Ohio’s healthcare industry for good reason. According to numerous technology media, healthcare remains one of the leading targets for cyber criminals and provides hackers with the highest price per stolen record of any field.
Keeping a healthcare organization secure requires a holistic, thorough, and documented process. But all too often the Astute Technology team sees providers focus disproportionately on the security of their information technology (IT), while ignoring the urgent risks emanating from their operational technology (OT).
In this article, we’ll explore why that’s the case and what healthcare providers can do to secure their OT.
The Unique Challenge of Securing Healthcare Operational Technology
It’s possible that not everyone is clear on the distinction between IT and OT, so before we go any further let’s clear that up.
- Information technology moves data. It includes servers, workstations, PCs, mobile devices; the things most people think of when they think of network technology.
- Operational technology connects, monitors, and manages your physical office and infrastructure. Common examples of OT include automation or robotics systems, access control systems, and security camera systems, climate control systems, and others.
Securing IT is a well know process at this point, involves firewalls, anti-virus software, and cybersecurity training. The security needs of OT are discussed less, though it’s an equally important issue. As healthcare providers embrace new types of OT like the Internet of Things (IoT), and integrate OT and IT at a deeper level, those systems can easily provide a backdoor for hackers to exploit.
Building Access Control Systems
Access control systems come in several different flavors. There are door control systems, gates on the exterior of a parking lot, as well as more sophisticated systems for protecting vital records rooms, pharmaceuticals, and other healthcare supplies.
Like many OT systems, modern building control systems spanning hardware, software, and services, which makes them vulnerable to attack.
Take for example when hackers released 10 vulnerabilities in the popular Linear eMerge E3 system onto the Dark web. Because it took the NSC team so long to update the firmware that controls their hardware, cyber criminals with even a modicum of skill cause a, “complete shutdown of the affected resource.”
On the more sophisticated side of these attacks, hackers can use a magnet to bypass the tampering monitor then attach a device using a serial port on the controller, or try to reset the devices by using the default password
Security Camera Systems
Security camera systems are a common physical security measure that are used to protect both the exterior of your location, as well as sensitive areas within your facility. But because cameras are so deeply integrated with network technology, providers need to pay special attention that those cameras are secured themselves.
Internet enabled security cameras can present a variety of serious security risks. For example, improper camera location can compromise PHI by providing unauthorized access to view that data, even if no hack has occurred. Beyond that, concerted attacks by hackers that target the system’s firmware or weak passwords can allow criminals to access all your live feeds and spy on your employees.
Sounds implausible? This scenario has already played out, when a hacking group targeted over 150,000 security cameras for some of the world’s largest firms, including Florida healthcare network Halifax Health.
HVAC and Climate Control Systems
In healthcare settings where surgeries and other invasive procedures are performed, climate controls can make the difference between a successful or unsuccessful procedure.
Because these systems are so important, their security should be important too, but they’re often overlooked. The reason why is that HVAC systems, even more than other operational technologies are perceived as less of a target for criminals.
The reality is that the latest generation of smart HVAC systems is connected to the Internet, which makes it a vector for cyberattack like any other device. Research from cybersecurity consulting firm ForeScout Technologies shows that 8000 connected HVAC devices, mostly in healthcare and educational institutions, are highly vulnerable to cyberattack and malware infection
What Should You be Doing to Secure your OT?
We’ve established that OT is a source of cyber insecurity, now what should you be doing about? The only way to design a clear action plan is with a thorough network assessment, but there are some best practices that all providers should be observing to achieve a baseline of security confidence.
Change Default Passwords
A basic but critical step to securing OT devices is to ensure that you change any administrator passwords from the default to something both secure and unique. This simple step is enormously effective at preventing hackers from using stolen credentials (or cracking software) to compromise OT devices.
Update Firmware Regularly
Similar to IT systems, OT hardware and related software often come with a basic input output system (BIOS) or other firmware to control the signals that come in and out of the system. You should track the version of the firmware on all those devices and update them as the vendors releasees new versions to close identified cybersecurity weaknesses.
Be Wary of Foreign Hardware
There’s a common cycle in the OT industry in which technology developed in a develop country eventually finds its way to factories in China or India where it’s manufactured for a fraction of the price.
While we all love low priced hardware, the unspoken trade-off is that the vendor who creates that device won’t update it as regularly as an established brand. This can lead to serious cybersecurity risk, so take extra precautions when vetting new vendors.
Work with an OT Specialist
Before OT became as widespread and integrated as it is today, healthcare providers could trust that a building maintenance company or their real estate firm could be trusted to handle the security of those devices. Not anymore. To ensure all devices are HIPAA and HITECH compliant, enlist the help of a trusted cybersecurity services firm to take control of you OT.
Comprehensive Security Solutions Designed for Healthcare
Astute Technology Management has been a trusted partner to Ohio’s healthcare community for over 20 years, helping providers of all sizes meet their cybersecurity and regulatory compliance goals with less stress and effort.
To speak with one of our healthcare IT experts, contact us any time at 614 389 4102 or [email protected].