The health care industry is an ever-changing field full of advancements, both technical and medical. It requires a healthy knowledge of what has happened and what will happen. But each new medicine, procedure, or technological advancement means both improvements in treatments and potential risks.
One area of technology that sometimes isn’t as well covered in the public arena and yet has a considerable effect on the field is the use of industrial control (ICS) and supervisory control and data acquisition (SCADA) systems. These allow many of the industry’s advancements to collect, monitor, and control the large amounts of data and technology used by medical professionals.
What Happened
ICS/SCADA systems and components have been around since the beginning of electrical components and systems in most industries. The first examples would have been valves that could be opened, shut, or partially closed to control the volume of a fluid or gas. Think of controlling how much steam goes into a steam engine on a locomotive or how much fuel is injected into a motor so that the air and fuel mix allows the motor to run smoothly. A simple on/off switch or rheostat would control these items reasonably well.
Today, those same controls might be monitored and controlled by an ICS or SCADA system so that the volume can be checked and metered out to the tiniest amount, even when the operator is some distance away.
The problem with this method is that many of them are now controlled by obsolete computational devices or boards. Yes, they still work and work well, but the controllers are connected to networks and the Internet to allow remote monitoring and management. Some are even operated by people who are not even in the same region or country. This poses a serious potential risk as it allows for systems with little or no protection to be connected to a vast threat space. A bad actor could take control of them and cause irreparable harm or even death.
In October of last year, we posted an alert titled “Alert: Researchers Find Serious Vulnerabilities in Medical Equipment,” in which we detailed vulnerabilities in B. Braun’s medical infusers. The threats specifically involved the ICS/SCADA capabilities of the pumps, which could allow someone to wrest control from authorized operators and place it in the hands of malicious actors.
In August of 2021, we wrote about the “PwnedPiper” vulnerability in the controllers of the pneumatic tube systems of over 3000 hospitals worldwide. In this case, the threat would allow a threat actor to control or shut down the tubes that deliver medicine, information, and other items to personnel across a medical campus.
There are likely to be many more examples of ICS/SCADA systems within your organization that you don’t even realize are there. Simple things such as your environmental controls (thermostats, humidity management, etc.), power supply conditioners that maintain a steady flow of electricity to your equipment, or more advanced items like your fire suppression system in the cafeteria kitchen. All of these items pose potential threats to your organization’s ability to continue operations if they are breached or made inoperable.
How will this Affect You?
Even in the smallest medical practice, there are pieces of equipment, or data storage repositories, that are essential to it. If your patient data resides on a single storage device, and that device becomes corrupted or unusable, then your practice is crippled until the device is repaired or replaced. Worst case scenario: your organization will have to rebuild the data from scratch. Without your billing software and the information required to charge a specific patient or their insurance, you cannot make sure that you are paid for your services.
Either of the above situations could literally mean the end of your practice or organization or a very costly recovery bill. If the problem arises from a data breach, your clientele will lose faith in your ability to protect their personal health information (PHI) or credit information (PCI). That loss of faith alone could spell doom for your organization.
To reduce or eliminate the threat, you must be aware of all of the potential avenues that could allow someone to cause an IT-related breach or breakdown, including those that involve ICS/SCADA systems and sensors.
What should you do
One of the first things you should do is understand the various technologies and tools that your practice uses to support its operations. Take a walk through the facility, preferably with at least one other person, and write down each piece of equipment, data storage container or system, environmental controls, etc., that is part of your business. Also, take note of entry and exit points, lighting, fire suppression systems, alarms, and power outlets/supplies. Note how many people work in the location, what kind of information they collect and use, and where they obtain it. Get someone to list all of your suppliers and other businesses (like insurance companies and credit card payment system providers) that you work with, including facility maintenance.
Now that you have gathered all that raw information, you have a good start on bringing security into the equation. Sit down with a knowledgeable cybersecurity lawyer or legal representative and discuss what federal, state, and local laws might pertain to your organization. Bring in your IT and cybersecurity staff, if you have any, or hire a reputable external company to consult with you on these matters. Your goal is to understand what you should do, what you must do, and any options for mitigating the risks involved in day-to-day operations.
As you can see, this isn’t a one-day affair. It takes time to collect and ingest the information, understand it, and create the plans necessary to move forward. Knowledge is key, but it will be work that requires your commitment to the effort.
Northstarr Recommendations
Owning and operating a small or medium-sized medical practice is all about having a select few clients and taking care of their health and safety. Cybersecurity may not be at the forefront of your mind. However, this doesn’t mean that it shouldn’t play a part in your practice—quite the opposite, in fact.
Northstarr System Solutions, Ltd. is a professional IT and cybersecurity managed service provider (MSP) that caters specifically to businesses just like yours. With decades of experience and knowledge across multiple related fields, our professionals can ease the pain of bringing your organization into compliance and giving you the peace of mind that comes with knowing you have the best possible security in place to protect your clients’ information, and your own life’s work.
Give us a chance to help you find the risks you may not be aware of, and create a plan to reduce or eliminate them. As an MSP, we can also help you manage your data and security over the life of your organization, ensuring that you can spend your time doing what you most want to do: helping your patients become healthy and stay that way.
Call (888) 767-2210 to set up an appointment for a free initial consultation or sign up for a free assessment on our website.
We look forward to doing business with you!
You can also find us at: