There's no denying it and no point in ignoring it, so let's just acknowledge it: there's a big ugly elephant in the room and it goes by the name COVID-19. It's on everyone's mind, has already exacted a heavy human cost, is the source of untold anxiety and consternation, is the gravest threat to the global economy since the Great Recession, and is likely to only get worse.
While the virus has thoroughly upended any semblance of normalcy for so many people in so many countries, perhaps no one (beyond the infected) is feeling the pressure more than the healthcare community — those on the front lines of the fight.
It's not just caring for those afflicted and diligently working to stave off any precipitous decline, but also conducting research in search of a vaccine or an effective anti-viral treatment. Even more, it's not just the doctors, nurses, and scientists that are spearheading the global response, but those administrators and healthcare operations professionals that ensure our medical infrastructure is up to the task — both for the demands of the day as well as the morrow.
In times like these, that last thing is probably the tallest task.
Rapidly Onboarding New Medical Devices In Preparation for a Crisis
Most countries, the United States included, don't have nearly enough ventilators available to cope with the anticipated strains placed on the healthcare system as a result of COVID-19, let alone for the worst-case scenarios that some are predicting.
As a result, global healthcare is currently in the midst of a mad scramble to source and deploy millions of additional ventilators and respiratory care technologies. To achieve that, it'll require that manufacturers drastically ramp up and accelerate production. It will also likely require that most serviceable devices in areas less affected by the pandemic be redeployed to areas more affected. It may also mean temporarily recommissioning retired equipment and taking a more creative approach to the supply chain.
The irregularity of such emergency procurement efforts has the potential to introduce a host of additional operational risks — from quality control to interoperability to cyber vulnerabilities.
The speed and trajectory of a global contagion is notoriously difficult to forecast, and with an already broad base of exposure throughout the world, the potential for a rapid exponential breakout in any given area looms large. We don't yet know whether efforts to dramatically increase ventilator availability will even succeed — let alone whether that success might come before or during the feared tidal wave of infected patients flood hospitals.
Of course, if new machines arrive in the midst of a flood of new respiratory admissions, the aforementioned operational risks will be deemed acceptable and the mission will be to get as many machines online and in use as quickly as possible. If, however, new machines arrive before the flood of new respiratory admissions, those risks should be at least cursorily considered and addressed in ways that don't take too much time or resources.
Quick Steps to Take to Ensure the Cyber Integrity of Irregularly Sourced Medical Devices
With that in mind, here are 10 quick cybersecurity tips for hospitals rapidly deploying medical devices in preparation of a large scale emergency:
- Before getting started with the device, make sure it doesn't have any ePHI already stored on it. If it does, delete it.
- Restore the device to the default manufacturer settings and then make any desired setting changes based on the specific needs of the HDO.
- Make sure all remotely accessible device management portals (such as web portal) have unique and strong credentials (i.e. change all default credentials).
- Request MDS2 forms for any newly deployed devices from the device's manufacturer. When such documentation is supplied, see what actionable information can be found with respect to the device's best practice IT configuration and cybersecurity management (e.g. anti-virus compatibility, etc.).
- Close any operationally unnecessary communication ports.
- If feasible, it's best to actively scan one of each device model in a laboratory environment before connecting the fleet to the wider network. This step can be helpful in identifying whether the device is exposed to any known vulnerabilities.
- Add the device to your inventory database and make sure it is properly reflected in your CMMS.
- Make use of available IT tools that automatically map outgoing and incoming device data. This map should be consulted to quickly identify and resolve configuration errors or communication issues.
- Newly deployed devices should be set up within the organization's network communication monitoring apparatus.
- Given the somewhat chaotic and totally non-standard manner in which devices were procured as well as the generally extreme operational circumstances, it is especially important that hands-free continuous monitoring and anomaly detection tools be put to work — guarding the organization's digital flank while it focusses on matters of more immediate concern.
- This type of passive monitoring for anomalous or malicious traffic signatures is useful, among other things, in checking that the devices didn't come preloaded with malware.
- For the time being, it is best to create new and strictly governed (allowing only operationally necessary data to flow to and from these devices) network segments for each category of newly deployed device. By so doing, the attack surface can be shrunk considerably.
- Later, when the crisis has passed and some semblance of calm has returned, these segments should be revisited and built into the existing security architecture in line with context-aware best practices.
While safety and security are clearly entangled, they are not entirely the same thing. In times like these, there should be little doubt that safety takes absolute precedence. Still, where the opportunity is afforded and it doesn't come at the expense of other activities pursuant to care, security mustn't be ignored.
When all is said and done with COVID-19, there will be no doubt that healthcare workers rose to the challenge and faced it head on — sometimes even at the cost of their own health and wellbeing. These are the heroes of the crisis and they deserve not only our recognition, but our commendation and support.
Unfortunately, it's not entirely clear to us how we can best offer our support. The above tips represent a humble first attempt. If you have any ideas for how CyberMDX can better enlist our cyber expertise and capabilities in the service of the medical organizations and teams in the trenches of the war against COVID-19, please reach out and let us know.
We're all in this together and together we'll get through it. Stay safe and stay healthy!