Last month, I presented at the American Society for Healthcare Engineering's International Summit & Exhibition on Health Facility Planning Design & Construction (PDC Summit) where I addressed the issue of cybersecurity and risk management. The group was one of the most occupationally and organizationally diverse audiences I have addressed, with a seemingly remote connection to cybersecurity issues. Yet, the reality is that the engineers, architects, construction executives and hospital facilities managers have a fundamental and foundational role in hospital cybersecurity.
Although these roles are often overlooked in their criticality in identifying and mitigating cyber risk, they are involved in essential levels of the planning, design and construction phases of hospitals, and may amplify or mitigate cyber risk exposure. They also influence hospitals’ technology-related decisions, including those that affect mission-critical and life support systems.
These days, almost all systems deployed in hospital construction have embedded, network-connected technologies. These systems may include regular and emergency power supplies, HVAC, lighting, water and sewer control, elevators, communications, access control, security systems and, of course, the many “Internet of Things” (IoT) devices, such as security cameras. These systems — if not properly designed, installed and secured against cyber threats — could present a vulnerability a hacker may exploit as a pathway into the organization’s networks to steal sensitive patient information and research data. For instance, in a worst-case scenario, a mission-critical or life support system, such as power, HVAC or elevator controls could be disrupted, causing an interference with care delivery and affecting patient safety.
Another consideration I shared at the summit is that a cyber adversary may exploit vulnerabilities in vendor and contractor networks as a way of infiltrating a hospital’s network, seeking the easiest path in. Sometimes, the easiest way in may be the indirect way — through a contractor or vendor. To mitigate this risk, hospitals must assess and monitor shared network connections for systems monitoring and updates, shared cloud services, data and document exchange. This awareness should also account for the reality that systems can be perpetrated by attaching malware, including ransomware, to legitimate email traffic between the organizations. All of these potential vulnerabilities can put patients’ information at risk. However, as shared in my presentation, “There is hope!”
Being aware of the cyber risk, assessing for it and applying compensating controls at the outset go a long way in mitigating the risk for hospitals, contractors and vendors alike.
A few concepts to keep in mind that may help mitigate cyber risk exposure for mission critical and life support systems during PDC phases:
- Security by design including capability to receive security patches and software updates
- Resiliency and redundancy
- Network mapping, segmentation, access control and monitoring
- Vendor risk management program
- Contractual cybersecurity and cyber insurance requirements for contractors and vendors
- Annual risk assessments including vulnerability assessment and penetration testing
- Convergence and collaboration of PDC with information security, physical security and personnel security of hospital
- Prefer domestic or non-high risk nation supply chain sourcing for mission critical and life support supplies and services
- Incident response and emergency management collaboration
- Manual overrides for mission critical and life support systems
John Riggi, is senior advisor for cybersecurity and risk for the American Hospital Association. He can be reached at jriggi@aha.org.
