Hospitals’ operational technology blindspots must be addressed in healthcare cybersecurity plans

• ^{Hospital IT staff and healthcare CISOs have focused on data and IT protection in their cybersecurity plans, but potential risks remain in Operational Technology (OT) in building management systems;}
• ^{Ventilation systems, water and oxygen supply systems, elevators, electric doors, lighting and other OT are often overlooked as a potential entry point for threat actors and cybercriminals;}
• ^{Hospitals should embed a culture of ‘cyber hygiene’ that echoes physical hygiene efforts so pervasive in the healthcare sector;}
• ^{There is a lack of relevant regulation around cybersecurity standards for healthcare OT systems}

11 May 2021 - The PwC report, “The Unseen Danger: Cyber Security Threat to Hospitals’ Operational Systems”, shows the potential dangers that could result from a cyberattack on operational technology (OT) systems. While attacks on OT systems are still relatively rare, there are a number of vulnerabilities that are likely to make this weak spot a more common target in the coming years - especially as IT systems and infrastructure become more difficult for threat actors to penetrate.

Ventilation systems, water and oxygen supply systems, elevators, electric doors, lighting and other OT systems are vital to the running of a hospital at any time, let alone during a global pandemic, but they are often overlooked by IT and cybersecurity teams as a potential entry point for intruders.

Vito Rallo, Director, Threat & Response Management, PwC Belgium, lists a number of reasons for this. “OT systems are often upgraded piecemeal and in a non-integrated way, but as is the case for example with recent building management systems, they’ve entered the digital era, equipped with internet connectivity and capabilities for remote control and monitoring. In many cases, the upgrading of the technology has not been followed by an updated awareness of the increased cybersecurity weaknesses these features brought along.”

This issue becomes apparent when examining how this technology is managed in healthcare; in most cases CISOs (chief information security officers) aren’t actually responsible for it. Most CISOs and their teams are responsible for the IT elements which cover data and IT systems, but not operational technology like building management systems and/or connected medical devices. An even bigger potential issue is that many smaller organisations don’t even have CISOs.

“Modern IT defences are causing more of a challenge to those trying to breach them, so threat actors are looking for other entry points. That means OT systems are increasingly a potential risk,” explains Vito Rallo, Director, Threat & Response Management, PwC Belgium. “This may not seem a high risk; however, threat actors always look for the easiest entry point, so it is definitely something that needs to be included in the risk register. There can also be a danger of a breach from the OT that facilitates access to the IT systems and the data. For example, one area actively targeted by threat actors during a recent breach was the technology layer transferring data between the IT and the OT infrastructure – in this case, raw imaging data going from scanners to further computer processing.”

To address the issue, PwC believes hospitals should look to embed a culture of ‘cyber hygiene’ that echoes physical hygiene efforts so pervasive in the healthcare sector, and develop a holistic approach covering technology, process and people. To truly succeed, the system needs to go beyond standalone assessment moments, and should really be based on continuous evaluation linked to the evolving threat landscape. The idea is to regularly measure and test response capabilities, identify risks and use this as tactical input for the cybersecurity roadmap. This calls for multidisciplinary capabilities needed for the coordination of technical activities (e.g. investigations vs. recovery and internal CSIRT team), interaction with and between multiple service providers, stakeholder management and communication, and regulatory duties.

Another complicating factor is that typical solutions put in place in response to cybersecurity incidents often don’t fit the operational technology (OT) environment. “Running a response in OT requires specific skill sets and considerations. Classic models don’t fit, nor does taking a traditional forensic approach to the emergency,” states Vito Rallo. “OT priorities are different. An OT cyber incident response comes with safety, operations continuity and regulatory requirements top of mind. The goal is to go back to normal operations safely, without damage, as soon as possible, preferably with zero human impact while safeguarding compliance with regulations.”

Making OT security part of cybersecurity planning starts with recognising that there is a potential risk and making sure people are aware of it, and not just at the operational level; considerable board-level engagement is also required. “Our experience of managed security services in the hospital sector indicates rising awareness. We see an increasing appetite among CISOs for testing to reveal weaknesses caused by features, configurations or policies of the systems in place,” clarifies Vito Rallo.“The sector as a whole could also take additional steps to build digital trust - there’s a lack of relevant regulation around cybersecurity standards for healthcare OT systems, and this should be addressed by conversations amongst regulators, hospitals, technology providers and manufacturers. Hospitals’ OT networks play a vital but often unrecognised role in preserving and saving lives.”

Notes

“The Unseen Danger: Cyber Security Threats to Hospitals’ Operational Systems” can be downloaded at:

https://www.pwc.de/de/cyber-security/the-unseen-danger-cyber-security-threats-to-hospitals-operational-systems.pdf

Contact

Erik Oosthuizen

[email protected]
​0474 56 42 76

www.pwc.com