By Gilad Zinger
Information security in health systems has been in focus over the last few years. For example, we have witnessed reports of vulnerabilities in such supporting systems as X-Ray machines or smart, IoT-based devices in charge of various monitoring processes in health systems.
Additionally, hospital records and the privacy aspects associated with them have always been the subject of public debate. To face these risks, the cybersecurity industry has been producing a range of solutions for coping with the threats. But all of the developments in this field and the attempts to resolve the vulnerabilities notwithstanding, the current situation is not encouraging. For example, anyone can easily find more than 200 X-Ray machines connected to the Internet at this very moment.
One issue which has not been in focus is what I call the "low tech" systems of hospitals and medical centers. This category includes the complex and unique building control systems used at these centers. Unlike other management systems charged with logistics and security, building management systems in medical centers are responsible for life-saving activities – both directly and indirectly.
A Threat to Human Life
To understand the issue better, let us dive a little deeper. A hospital, unlike a power station or a manufacturing plant, uses a control network, an Operational Technology (OT) network which is not intended to store/retrieve/use data like the Information Technology (IT) networks. Instead, it is intended to operate and monitor vital systems at the hospital. These functions are unique and sometimes niche-specific – but still rely on the industrial control world, the world of Industrial Control Systems (ICS).
The Building Management System (BMS) is responsible for process control in the building (whether or not the building is a "smart" building). In most modern buildings, the control system will trigger active processes as a result of specific occurrences. For example, a change in the air-conditioning temperature pursuant to measurement and monitoring processes, or alternately, control of lighting, ventilation openings, or security and safety devices.
A cyberattack against a similar infrastructure in a residential building will normally result in discomfort and a financial loss, but in hospitals, the implication of such an impact is radically different. Imagine a situation where the air-conditioning system fails to operate in an operating theater or a situation where the lifts were rendered unserviceable, and patient beds cannot be transported. On the face of it, a risk such as the lifts becoming unserviceable is the same as the one facing a residential building, but the implication of the impact and the risk itself might take an alarming turn.
Beyond the "classic" building management systems, hospitals normally use dedicated systems for operational functions on the one hand and for life-saving processes on the other hand. Additionally, systems used for operational purposes, such as air-conditioning, contribute to the prevention of the spreading of disease and to maintaining specific environmental conditions for various medical needs.
Vulnerabilities in On-Going Operations
For the purpose of this demonstration, let us select two primary systems. Many medical centers use pneumatic tube systems to deliver cylindrical containers to specific recipients. These containers may be used to transfer anything from examination result documents to test tubes containing blood for analysis. Pneumatic tube systems have been in use for more than 100 years, but the technological developments of the last few years have not neglected them. Today, these systems are controlled by modern controllers. They are connected to other systems and in some cases, even to the Internet. If we were to speculate on the potential damage that might be inflicted on systems of this type, we should consider a situation where an opponent gained control over the system and can create scenarios – from disrupting normal operation through deception, delivering containers to the wrong recipients to a complete shutdown of the system.
The water and gas delivery system of the hospital is an even more critical system. This system supplies hot water, compressed air, and medical gases (like oxygen, nitrogen, and others). Anyone who visited a hospital noticed that a connection to an oxygen supply source is available by each patient bed. This is a control system for all intents and purposes. The other end of the system consists of an oxygen tank controlled by a standard controller and a monitoring system, whose function is to supply oxygen to the patients on demand, as required. In this case, the potential implications of damage inflicted on the controller of this utility system are self-evident.
Each one of the systems I listed has a chain of supply and support that is completely detached from the organizational cybersecurity loops. In other words – these chains offer a vector for attacking the systems in question, from remote control, through close installation to connectivity between systems (OT-OT and OT-IT).
OT Systems Everywhere
Are we facing new systems or gaps that stem from technological progress? Well, in the last few years, we have begun to realize that OT systems surround all of us (not just nuclear reactors in Iran). In my estimate, the gap stems primarily from the fact that most IT officers in medical centers are responsible for protecting the organizational information – not the operational systems. The lack of sufficient in-depth knowledge and understanding of the world of control and its direct relevance to the threat to human lives, sometimes produces a partial solution (or even no solution at all) at those centers, thereby increasing the risk factor associated with the operation of life-saving systems. Additionally, the absence of suitable regulation that would support these systems from as early as during the design of the medical center widens the existing gap even further.
Bridging the Gap
Technological progress produces, for all of us, amazing opportunities that are sometimes accompanied by new risks to which we have not been exposed previously. It may be stated that in most cases, the first mistake we make in coming to provide cybersecurity to operational systems is the acquisition of security products without structured security concepts and strategies and a complete understanding of the world of operational risks, which is so different from the world of risks with which the information security officer is familiar.
Firstly, the management of the medical center must acknowledge the fact that there are relevant cyber threats out there that could produce risks in these systems (and not only in the information systems). The management should outline the path for examining the ways through which the organization may be able to manage the risk without having an adverse effect on the operational continuity of the center. This raises the question of whether the acknowledgment of the risk should come from the hospital with a demand for regulations on the part of the regulator, or vice versa. In my view, both sides should produce a mutual impetus by assisting and guiding the elements in charge within the government organs.
These organizations are duty-bound to carry out preliminary surveys in order to chart the assets, while gaining an in-depth familiarity with the "maturity" level of the organization with regard to cybersecurity vis-à-vis OT systems. Subsequently, the hospital management should be called upon to provide an appropriate initial budget, develop an initial security policy, and initiate a comprehensive risk survey. Following the survey, a long-term implementation program should be developed to prioritize, based on the extent of having the risk mitigated, the rate of implementation, and, naturally, the cost of implementation relative to the other two parameters.
Most senior medical center executives reading this article will be able to identify and spot numerous operational systems that are linked to other, unsecured systems. These systems might produce cyber scenarios in the context of which human lives will be at risk.
As medical centers in Israel are not directly guided by the National Cybersecurity Directorate and do not fall within the definition of critical infrastructures, the functionaries at these centers must assume the responsibility and initiate the processes required in order to minimize the risk before it materializes. One should bear in mind the fact that even if no indications are available regarding the collection of information in preparation for an attack against the hospital, this does not mean that the system had not been infected by malware waiting for the H-Hour.
Gilad Zinger is a senior manager in charge of security for critical computer systems at PwC Cyber Security. For 18 years, he served in cyber-related capacities with the Israel Security Agency.