Like any other enterprise, healthcare organizations are increasingly interconnected, to such an extent that digitized control systems are now relied upon in nearly every step of the patient care delivery process. For instance, think about electronic health records (EHRs), patient archiving and communication systems (PACs), and an explosion of telehealth systems and connected medical equipment and devices to monitor and support patient care. The cyber risks facing healthcare organizations are growing exponentially as digital transformation takes off and devices are increasingly connected to the internet. However, an area that doesn’t get as much attention are the building management systems (BMS) healthcare organizations rely on to keep these assets running while creating a safe environment for patient care.
As with other forms of enterprise technology, building management systems have undergone rapid digital transformation in recent years, shifting toward smart, connected systems to take advantage of performance improvements, reduced energy consumption, and cost efficiencies. But like all forms of digital transformation, connecting formerly isolated building management systems to the internet and an organization's internal network introduces additional cyber risk.
The concerning truth is that vast networks of cyber-physical systems—security cameras and physical access controls, HVAC systems, lighting, fire alarm systems, power, elevators, and other crucial mechanical or electrical equipment—form the backbone for healthcare delivery. In the event of a failure, healthcare delivery becomes more difficult and patient outcomes can also suffer. Some real-life examples include:
The malfunction of a cryogenic freezer at a California hospital resulted in its failure to maintain the appropriate temperature, which caused custom stem-cell immunotherapies to be destroyed. The hospital was found civilly liable, but the worst outcome was that it had a serious impact on treatment for dozens of children fighting cancer. Temperature controls are also crucial for the storage of vaccines, and pharmaceutical giants such as Pfizer trust Claroty to help them ensure the sensitive materials are kept safe throughout the supply chain.
The failure of the air-filtration systems at a hospital in Washington State to eliminate mold spores within its supposedly sterile operating rooms resulted in multiple patient deaths. Washington State was found negligent Air handlers had a mold infestation, and mold spores ended up in an operating room, infecting patient surgical sites. The hospital was found negligent after some patients died from exposure to mold spores.
An HVAC system failure at a California hospital caused the EHR to go offline, resulting in cascading issues that compromised patient care and caused enormous headaches for the hospital administration. Adding insult to injury, the incident occurred during an inspection from Joint Commission on Accreditation of Hospitals.
Multiple incidents have been documented involving elevator malfunctions at hospitals, which have led to patients and staff being stuck, seriously injured, or even killed. The ability to monitor specific indicators to ensure elevators are operating safely and reliably is thus critical to managing risk at medical facilities.
Building management systems are often overlooked as a potential weak point in an organization’s defense perimeter, because security teams are preoccupied with protecting more traditionally targeted assets. However, threat attackers now understand that BMS are not only critical to operations, but they can also serve as a pathway to other secured infrastructure and therefore extremely valuable.
Government alerts and industry researchers enumerate vulnerabilities, as well as tactics and techniques adversaries use to disrupt operations and steal confidential data via BMS. For example, in October 2021, the Cybersecurity and Infrastructure Agency (CISA) issued an advisory for a vulnerability present in a widely used building automation system for coordinating HVAC building controls. If exploited, the vulnerability could enable an adversary to inject code in the input forms used for web page generation. Once the malicious script is injected, the attacker can perform a variety of activities, including exfiltrating private information, launching phishing attacks, and gaining access to administrator credentials to tamper with control settings. This could result in a shutdown of computer systems that drive critical functions for patient care delivery.
Many facilities have aging building management systems, and the vulnerability described above affects older HVAC systems that are nearing end of life. As these systems predate today’s era of hyperconnectivity, they were not necessarily designed with security in mind. The recommended mitigation in the advisory is to install updated firmware. But in contrast to software patches, firmware update cycles are typically long due to the risk of downtime and the complexity involved in implementing updates. Often, compensating mitigations are the only remediation strategy when the systems being connected to the Internet are legacy.
The Claroty portfolio of solutions supports best practices and includes several capabilities focused on risk mitigation for BMS across critical infrastructure environments, including healthcare. Key benefits include:
Healthcare organizations often lack visibility into the various BMS assets they are connected to across their environment. At Claroty, we continue to expand our library of protocol parsers to add new depth to our knowledge of BMS devices. Our solutions can specifically highlight these critical devices, allowing users to zero-in on specific assets with comprehensive and accurate device profiles and communication mapping.
The critical nature of BMS and low tolerance for disruptive downtime often means that teams are only able to patch the vulnerabilities that pose a genuine threat to their organization. However, determining which vulnerabilities pose the greatest risk is often easier said than done. With accurate profiles for even more types of BMS devices, as well as automatic vulnerability correlation, identifying and managing vulnerabilities is efficient and effective. Claroty includes BMS devices as part of vulnerability assessment, reporting, and mitigating capabilities.
Ensuring each device is correctly assigned to an appropriate network segment is foundational to effective cybersecurity. With Claroty, hospitals can properly segment BMS and all other devices in their environments, enhancing protection and accelerating improvement of their overall security posture.