Smart buildings present a unique healthcare cybersecurity threat
The virtual and physical realms are becoming increasingly enmeshed through the world of the Internet of Things. The rate of Internet connections is outpacing companies’ abilities to secure them.
As a result, a large driver of cybercrime is the least-protected networks and systems found in the healthcare information technology world – building automation, or smart building technology.
For example, hackers stole 40 million credit card numbers from Target by getting into the retailer’s internet-connected HVAC systems. And in another example, hackers got access to a North American database by way of a web-connected fish tank.
These scenarios shed light on the ways that operational tech, such as signage, elevators, AV conferencing, HVAC, etc., can pose serious security risks for healthcare organizations.
Uniquely valuable data
“Information available in healthcare provider organizations – patient health information (PHI), payment card information (PCI), intellectual property (IP) and more – is uniquely valuable to hackers in comparison to other industries, which is why we’ve seen such a dramatic focus on cybersecurity in healthcare to date,” said Matthew Ehrlich, executive director, TEKsystems Global Services, digital technology builders whose specialties include cybersecurity.
“The problem we see, however, is that most of the efforts to protect healthcare providers fall under the IT policy umbrella,” he continued. “By limiting cyber threats to just IT policy, organizations are missing key vulnerabilities and risk exposure for their company. Building systems are not traditionally in scope for IT, yet they have a vast ecosystem of technology that must be assessed and governed.”
"Healthcare providers should be taking a collaborative approach to solving this problem – IT cannot own this alone."
Matt Ehrlich, TEKsystems
These technology systems, referred to as operational technology, are primitive and generally poorly governed, making them ripe targets for the infiltration of the main network of a hospital, he added.
There are many different building systems in healthcare that present cybersecurity vulnerabilities. Traditional commercial buildings have vulnerabilities rooted in operational technology in places such as HVACs, fire alarm systems, digital signage, elevators, water or electric meters, lighting, and many more. All of those vulnerabilities apply to healthcare organizations, as well.
“However, healthcare providers also have such unique real estate types, ranging from small ambulatory facilities to complex 1,000-plus bed hospitals ,to laboratories, to parking garages, to pharmacies and more,” Ehrlich explained. “Each of these types bring in a whole host of nontraditional-technology enablement and separate vendor ecosystems.”
Take for example the laboratory: Beyond ordering systems, one has secure rooms/doors, temperature-controlled rooms, blood banks, special lighting etc. This concept lays the foundation for the Internet of Medical Things (IoMT), which is an emerging area that healthcare organizations need to be aware of.
So what are the steps healthcare CIOs and CISOs can take to analyze, design, evaluate and implement smart building solution plans to protect themselves from hackers getting to more important things like the main network or the electronic health records system?
“First and foremost, healthcare providers should be taking a collaborative approach to solving this problem – IT cannot own this alone,” Ehrlich said. “Similarly, the risk organization cannot own this either. A coordinated effort between risk, real estate, finance, operations, IT and clinical needs to exist to ensure implementation of end-to-end policy.”
An initial assessment is the first step, and educating and understanding risk exposure can generate tremendous ROI, Ehrlich noted. After any vulnerabilities are remediated and policies are built, healthcare providers need a way to monitor and manage ongoing operations as the technology and vendor landscape is changing constantly, he said.
An extreme lack of awareness
“Most healthcare leaders are aware of the benefits an organization can achieve from a ‘smart building,’” he said. “But there is an extreme lack of awareness in healthcare today on the rising risk that exists in the current building infrastructure with very simple things like elevators or HVACs, let alone more innovative topics like ‘smart rooms.’ We fear that due to the lack of education and urgency, this problem will likely get worse before it gets better.”
With advanced analytics generated from developments/implementations of consolidated EHR, ERP and CRM over the last decade, the amount of data is hard to imagine. With that, the access to that data is increasing, and through one key area: building-system vulnerabilities, Ehrlich said.
“Building vulnerabilities will become a leading entry point or cause of breaches and incidents across the healthcare ecosystem,” he concluded.