Blog

Top 5 Essential Strategies to Mitigate IT/OT Cybersecurity Risks in Healthcare

Dec 29, 2023

Blog: Top 5 Essential Strategies to Mitigate IT/OT Cybersecurity Risks in Healthcare

Healthcare Cybersecurity Challenges

During the initial stages of the pandemic, the healthcare industry faced a significant cybersecurity maturity gap, struggling to cope with the tumultuous period. The influx of patients and organizational responses to the virus compelled healthcare sectors to undergo rapid digitalization, amplifying their vulnerability. This transition highlighted their lack of robust cybersecurity infrastructure, weak incident response planning, and a shortage of cybersecurity experts in hospital IT/OT departments. These shortcomings, combined with the high market value of medical data, rendered healthcare organizations prime targets for hackers.

This period witnessed a series of significant cybersecurity breaches in the healthcare sector. In May 2021, Ireland’s Health Service Executive (HSE) suffered a ransomware attack, leading to a shutdown of its systems by the government. The attackers used Conti ransomware, reportedly operated by a Russian cybercrime group. May 2022 saw Russian hackers launching DDoS attacks on Italian websites, including health institutions, with the intention of targeting NATO countries and Ukraine. That same month, Greenland’s healthcare system experienced a network crash, severely limiting health services but thankfully not compromising civilian data.

In June 2022, a phishing campaign in the U.S. targeted various sectors, including healthcare, to compromise Microsoft Office 365 and Outlook accounts. September 2022 brought a significant breach in the Mexican Defense Ministry, revealing sensitive data including health information. By December 2022, Russia-linked hackers were utilizing healthcare networks in various countries to attack Ukraine, primarily for information theft and disruption.

In February 2023, a North Korean hacking group conducted a covert espionage campaign, targeting sectors including healthcare and extracting substantial data. A hospital in Illinois had to shut down entirely in June 2023, citing a ransomware attack as the primary reason for its closure, showcasing the devastating financial impact of such breaches.

Moreover, on July 5, 2023, Tennessee-based HCA Healthcare was attacked, leading to the exposure of personal information of over 11 million patients. The stolen data, later advertised on the dark web, led to a class-action lawsuit against HCA by affected patients, seeking compensation for insufficient data protection.

These incidents underscore the urgent need for the healthcare sector to bolster its cybersecurity measures, reflecting the critical importance of data protection in an era where digital healthcare solutions are increasingly indispensable. The sector’s response to these challenges will be crucial in ensuring the safety and trust of patients in the digital healthcare landscape.

 

The Role of Operational Technology in Healthcare

In the healthcare industry, Operational Technology (OT) plays a pivotal role by enhancing the functionality and efficiency of medical equipment. Defined by Gartner as hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events, OT in healthcare ranges from basic monitoring tools to advanced diagnostic equipment like MRI scanners, CT scanners, physiological monitors, ventilators, and infusion pumps. The acceleration of automation and digitalization has enabled these OT technologies to improve care efficiency while reducing costs in healthcare institutions.

Furthermore, OT environments in large medical facilities encompass elements beyond medical devices, including energy management, elevators, HVAC systems, and medical fluid systems. Most cyberattacks targeting the healthcare sector focus on third-party service providers with extensive access rights for maintenance and upgrades. This heterogeneity, coupled with low-security connectivity, significantly exacerbates associated cyber risks.

From a demand perspective, IT network security addresses the protection of Protected Health Information (PHI) and other personal data, crucial for maintaining healthcare cybersecurity, especially amid increasing cyberattack severity and scope. However, OT systems, omnipresent in hospital energy management, elevators, air conditioning, medical fluids, parking gates, and facility equipment, also demand priority. OT cybersecurity has unique requirements for critical assets. For instance, OT security ensures the reliability of operations in the physical world, whereas IT security protects data at rest or in transit. Patch updates in OT can be unwelcome and complex, unlike IT systems that undergo regular, non-disruptive updates. Additionally, OT cybersecurity involves various proprietary and specialized communication protocols, contrasting with IT security’s reliance on standard protocols.

Bridging the gap between IT and OT security is imperative for comprehensive protection in the healthcare sector. Acknowledging and addressing the distinct requirements of each will be key to safeguarding the intricate network of devices and systems that form the backbone of modern healthcare facilities. The industry must prioritize a balanced approach to both IT and OT cybersecurity, ensuring the protection of both data and the physical integrity of healthcare operations.

 

 

Vulnerabilities in Healthcare IT/OT Systems

In the healthcare sector, cybersecurity vulnerabilities, particularly in Operational Technology (OT) systems, have become increasingly dire. OT technologies, such as connected medical devices and infrastructure control systems, often lack robust security measures and may operate on outdated systems without adequate data encryption, password management, or authentication. The integration of IT and OT systems in healthcare increases the attack surface, with the interconnectedness potentially eliminating network isolation and increasing access to critical systems. Many healthcare organizations lack sufficient cybersecurity awareness and training, heightening the risk of cyberattacks like ransomware. Protecting patient data and sensitive health information is crucial, and vulnerabilities could lead to data breaches or unauthorized access.

Security issues also arise with third-party service providers responsible for maintaining and updating medical equipment and systems. These providers can become vectors for cyberattacks, especially when they have extensive access rights. Initially, cyber threats to healthcare IT/OT systems mainly involved external software infections or intrusions, leading to data theft or damage. Cybersecurity measures are essential to counter these threats. Infections often occur through media like USB drives, CD/DVDs, or smartphones, and malware activation through email attachments, links, or network attacks. Early-stage intrusions, which are hard to detect, often lay the groundwork for ransomware, encrypting files and disrupting operations.

Connected medical devices pose an increasing risk. Many operate on outdated software, lacking essential security features, and are maintained by manufacturers or local biomedical engineers. This creates a closed infrastructure vulnerable to cyberattacks. Manufacturers’ reliance on less secure remote connection tools further exposes IT systems. The introduction of malware or ransomware can lead to the complete paralysis of medical devices, threatening not just data loss or information theft but also patient lives.

 

 

Global Regulatory Initiatives for Enhancing Healthcare Cybersecurity

As healthcare faces escalating cyber threats, regulatory efforts are intensifying to bolster medical cybersecurity. Critical measures include securing access for privileged users and controlling privileges on target computers to prevent network infiltrations. Healthcare institutions implementing Operational Technology (OT) solutions must rigorously protect devices and privileged resources. International standards such as MITRE ATT&CK and ISA/IEC 62443 are aiding organizations in adopting secure practices, with an emphasis on OT protection, as exemplified by the European NIS 2 directive coming in 2024. The U.S. Department of Health and Human Services (HHS) is also providing resources and incentives for cybersecurity measures in healthcare, alongside increased regulatory penalties for non-compliance.

The IT/OT convergence increases the attack surface, as attackers can move between these environments. For example, the Japanese Medical Information System Security Guidelines Version 6.0 focuses on physical and individual protection, but more emphasis on OT security is needed. Adherence to standards like IEC 62443 helps align with global cybersecurity norms and secure OT environments. Varied response strategies are needed for emergencies ranging from cyberattacks to system failures. Establishing a Business Continuity Plan (BCP), ongoing training, and regular reviews are crucial. BCPs should prioritize network events as primary risks, and advanced healthcare IT/OT systems must have robust user authentication and authorization processes.

The Zero Trust model, treating all access entities as untrustworthy by default, is vital for OT security. It requires comprehensive knowledge of assets, protocols, processes, and network activities for effective cybersecurity incident response.

In modern healthcare, outsourcing and using external services, including cloud services, is common. Selecting competent healthcare IT/OT systems and service providers is key, ensuring expertise in managing data in external environments. External storage, when properly used, can enhance medical institutions’ capacity to handle information.

Challenges like service continuity, manufacturer warranties, and OT equipment obsolescence demand specific solutions beyond traditional IT approaches. Integrating security in medical device deployment, along with change management and user awareness, is critical as cyber threats grow in frequency and severity.

 

 

Five Critical Security Controls for The Healthcare Sector

In the contemporary healthcare sector, managing cybersecurity threats requires a comprehensive approach, encompassing not only the physical equipment like servers, terminals, and networks but also the management of various system components and the users and administrators who operate them. This holistic perspective must include listing and managing all assets and accounts interacting with healthcare IT/OT systems. Given the collaborative nature of these systems, it’s vital to consider the system itself as a manageable entity.

Central to this strategy is robust governance, which ensures normal operation of these components and accounts, and monitors for any aberrant behavior. Upon detecting abnormalities, immediate preventative measures must be initiated. However, governance alone is not sufficient; anticipating potential cybersecurity incidents during crises is also crucial. This necessitates defining emergency operation policies, criteria, and procedures as part of a Business Continuity Plan (BCP). Implementing redundancy or backup of systems and data across all operational and system aspects is essential for comprehensive preparedness.

 

 

Governance

In the complex environment of current healthcare IT/OT systems, which often use external services and online maintenance, the risk extends to connected routers, devices, and even communication lines managed by external vendors. Vulnerabilities in these external systems can pose significant threats to the entire healthcare IT/OT system. While direct management of external suppliers might not be feasible, healthcare institutions must stay informed about their connectivity status and ensure, through contractual agreements, that no security loopholes exist. For instance, departmental system maintenance might be negotiated directly with suppliers, with little to no knowledge by the healthcare institution. In such cases, ensuring patient safety through responsible security measures becomes challenging. Healthcare institutions must be cognizant of their connectivity situations and exert control over them to maintain robust and effective cybersecurity measures.

 

 

Configuration Management

Effective configuration management and access control are crucial for maintaining cybersecurity in healthcare information systems. This involves a comprehensive understanding and cataloging of the devices and network structures that constitute the system or service. By ensuring proper network connection devices and paths are in place, healthcare institutions can prevent improper device connections, software, or data integration, and abnormal data communication. Particularly from a network security perspective, it’s essential to execute logical or physical configuration segmentation, control of connection devices, and manage communication data to maintain security integrity.

 

Access Control

Access control requires a detailed listing of personnel involved in using and managing the healthcare information system. It’s critical to understand their specific permissions and how they interact with various systems. System administrators, including those from related service providers, need stringent account management to prevent malicious software from exploiting system vulnerabilities, capturing administrative privileges, and breaching defenses. If administrative privileges are compromised, authentication control systems like Active Directory or LDAP can be hijacked. However, keeping operational systems and backup systems’ security credentials separate can provide time to respond and potentially protect backup and security systems.

In today’s complex information systems, various systems automatically connect, support, and control each other. Account management must include software such as systems or applications. Both PC operating systems like Windows and server-side systems like Linux have numerous functionalities and processes that can be installed and auto-started. Functions not required within the healthcare information system should not be activated, as any process with vulnerabilities can become an entry point for cyberattacks. Healthcare institutions must request service providers to delete or not initiate unnecessary processes or programs and vigilantly monitor whether these unwanted processes are inadvertently activated. Sometimes, security patches can inadvertently restore previously deleted or disabled processes, which necessitates ongoing vigilance.

 

 

Continuous Monitoring

Effective cybersecurity monitoring, particularly in healthcare, is crucial. Organizations can detect unauthorized intrusions and prevent unauthorized access by managing configurations and accounts, identifying anomalies caused by illegal software or data. This comprehensive oversight is key to maintaining system integrity.

To support unauthorized intrusion detection and prevent unauthorized access, security services like Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are employed. Network defense solutions tailored for OT systems are recommended, as they automatically generate OT network trust lists using automated rule-learning technologies, helping organizations establish precise L2-L7 network policies. This strict policy-making, based on necessary asset communication, highlights all suspicious or potentially harmful activities. Additionally, choosing solutions that deeply understand various medical control systems’ communication protocols is essential, allowing organizations to analyze network data packets effectively to prevent malicious activities and errors without disrupting medical operations.

For medical devices or OT/ICS systems in medical buildings vulnerable to attacks due to unpatched vulnerabilities, compensatory control measures like virtual patching technology are advised. This technology minimizes configuration and management time and seamlessly integrates into existing OT environments.

Endpoint Detection and Response (EDR) services are crucial for detecting anomalies caused by illegal software or data. Observations from TXOne Networks indicate that many types of malware can evade traditional pattern-matching detection, such as zero-day attacks. The new generation of Cyber-Physical Systems Detection and Response (CPSDR) methods is a game-changer in threat detection and response. CPSDR supports an operation-centric approach, where security measures are coordinated with device operations without impacting performance. It provides high-precision early warnings of system anomalies before threats occur, effectively detecting and suppressing deviations from normal operations before instability sets in. CPSDR extends protection beyond known threats to also guard against unknown threats. Adopting CPSDR ensures that any changes in system operations, whether attacks or benign process changes, are thoroughly analyzed and addressed, significantly reducing risk. This comprehensive approach ensures critical systems, like healthcare systems, are protected from various cyber threats, maintaining the safety and integrity of essential operations.

 

 

The Robust Business Continuity Plan

In today’s digital healthcare landscape, where cyber threats are becoming increasingly sophisticated, developing a robust Business Continuity Plan (BCP) is essential. A comprehensive BCP should include strategies to minimize chaos and business impact in the event of a cyber incident, along with rapid recovery solutions. However, it’s crucial to acknowledge that completely preventing cyber incidents is an unrealistic goal. Therefore, healthcare organizations must prepare for the worst-case scenarios, incorporating cyber incidents into their BCP alongside major disasters. This preparation could involve paper-based operations or support from neighboring medical facilities in emergency situations.

Effective BCPs require systematic and data backups as fundamental measures. These backups should be designed to facilitate swift access to essential information for continuing basic operations and restoring the system to its original state if necessary. The nature of the backup will vary depending on the medical institution’s needs. For instance, access to the most recent year’s data may suffice for emergency medical services. Consequently, it’s advised that backups cover a slightly more extended period than one year.

Regarding system and data recovery, backups should not only include patient data but also the software and settings that keep the system operational. This holistic approach, often termed a ‘full backup,’ is typically managed by system vendors. The healthcare sector needs to ensure that correct full backups are included in their specifications and verified upon system implementation. In cases of cyber incidents leading to criminal investigations, hardware compatible with the existing systems might be required. This preparedness is crucial for minimal disruption to medical services.

Given the complexity of modern healthcare IT/OT systems, which often involve multiple vendors, it’s imperative to have a well-coordinated backup strategy that covers all system components and vendors. This strategy should account for the different types of data and system functionalities, from patient records to imaging diagnostics.

Lastly, in situations where system functionalities cannot be restored immediately, alternate methods of accessing backup data should be considered, such as using CD-Rs or DVD-Rs for short-term data and preparing laptops with appropriate viewing tools. Engaging with system vendors for effective planning and preparing for emergency scenarios, including the possibility of manual paper operations, is crucial. This preparation ensures that patient care continuity is maintained, even in the face of significant cyber incidents.

 

 

Are you concerned about facing similar threat challenges? We are always here to assist you!

The challenges in production are constantly evolving. This is a lot of information, and our team is ready and eager to help you and your suppliers find the OT network defense tool that best suits you. Contact us to learn how TXOne solutions can ensure the security, compliance, and uninterrupted operation of your systems.

 

TXOne image
TXOne Networks

Need Assistance with OT Security ?

Our team is here to assist with OT security challenges and provide guidance on implementing effective solutions.​