Australia's critical infrastructure protection act extends to healthcare.
In April this year, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 came into effect in Australia, extending the scope of the Security of Critical Infrastructure Act 2018 to also apply to healthcare and the medical sector. The key focus of the current version of amendments is on hospitals with Intensive Care Units. However, the scope may be extended again to cover more of the healthcare sector.
As a result of the changes, hospitals now need to register their critical infrastructure assets, and any security incident in relation to these assets needs to comply with mandatory cyber incident reporting. There is now a new obligation for responsible entities to create and maintain a critical infrastructure risk management program, and a new framework for enhanced cyber security obligations required for operators of systems of national significance.
Medical device security - a global concern
Vulnerabilities in medical devices have become a global problem. In the USA, there has been growing federal scrutiny. In March, the U.S. Senate introduced the PATCH Act, a bipartisan bill targeting medical device security. In a statement of support for the legislation in June 2022, the American Hospital Association wrote, “Cyber vulnerabilities in medical devices, often containing outdated legacy technology, have posed a significant cyber risk to hospitals.
Cybersecurity vulnerabilities in medical devices offer multiple avenues of access for cybercriminals, enabling hackers to remotely take control of medical devices and then take malicious actions like disrupting operations, or causing an information leakage.
Just like in the USA, many Australian healthcare systems utilise internet connected medical devices to improve the efficiency of care delivery to patients. In its most recent health sector security report, the Australian Cyber Security Centre (ACSC) received 166 incident reports between 1st January and the 31st December 2020 relating to the health sector. This is a significant increase from the previous calendar year where there were only 90 reported incidents affecting the health sector. The bulk of reported incidents were for compromised systems. Outside of government and individuals, the health sector reported the highest number of incidents to the ACSC in 2020.
Addressing the medical device risk
Connected medical devices can improve patient care and operational efficiency, but there are three distinct challenges that need to be addressed:
1. Lack of visibility and inventory capabilities
Medical devices and other smart devices in a healthcare ecosystem are difficult to discover and inventory. Since unmanaged IoMT, IoT, and smart devices do not support inventory agents and are often missed by typical network discovery scans, security teams relying on traditional inventory methods struggle to get a clear view of all devices. Even when medical teams have an inventory of the devices their departments support, usually in the form of spreadsheets, the inventories are often already outdated and require resource-intensive efforts to update. Moreover, the device list is limited to what the team manages and wouldn't include other devices, such as those managed by other departments or offices.
2. Inherent security control limitations
While traditional enterprise devices such as laptops and servers support a host of traditional security tools, including inventory and patching agents, medical devices simply cannot.
In many cases, despite running a mainstream OS such as Microsoft Windows, the devices are certified by the vendor with specific configuration parameters. In these cases, relying on traditional agent-based security tools, or even installing native Windows security patches, can result in unresponsiveness or unexpected behaviour that may impact patient safety. This inability to patch or upgrade has resulted in thousands of medical devices in healthcare environments in Australia running decades-old legacy OSs and vulnerable software – a disconcerting thought.
3. Inability to contextualise clinical and device risk
With different departments using an array of new and old device types, understanding their unique contexts is critical to the risk assessment process. It is also impossible to achieve security through the traditional security software stack.
In a clinical environment a legacy workstation embedded into a large MRI scanner actively providing patient care poses a significantly higher risk compared to the same OS with the same vulnerabilities on a workstation found in a non-clinical environment.
Ultimately, traditional security tools simply do not capture the true contextualised device risk, including the behavioural and clinical factors.
It's not just medical devices that impact patient care
Medical devices such as those described in this paper are not the only unmanaged devices that can pose risks or directly impact patient care.
Consider a few parts of the ecosystem that supports the patient journey: check-in kiosks, handheld scanners, lift control systems, smart thermostats, HVAC systems controlling humidity and temperature, porter communication systems and more.
Malfunction or downtime of building management systems, such as the HVAC units that regulate humidity levels in an operating room, can result in cancelled surgeries. The implications are worrying when you consider that 64 percent of healthcare delivery organisations estimate that at least half of all devices on their network are unmanaged or IoT devices, including medical devices.