381Biomedical Instrumentation & Technology September/October 2016

Columns and Departments

About the Author

Axel Wirth, CPHIMS, CISSP, HCISPP, is distinguished technical architect at Symantec in Cambridge, MA.

He is a member of the BI&T Editorial Board. Email: axel_wirth@symantec.com

CYBERINSIGHTS

The Importance of Cybersecurity Training for HTM ProfessionalsAxel Wirth

The cybersecurity posture of our medical device ecosystem is a growing concern. At the same time, we are painfully aware that today’s cyberthreats are increasingly sophisticated and attacks are highly targeted and purposeful.

In a world where cybercriminals are reinvesting 40% of their profits into develop-ing new techniques,1 the gap between what we know about medical device vulnerabilities and the attackers’ capabilities is growing rapidly. Yet, at the same time, medical devices are not as easy to secure (or upgrade to a more secure state) compared with traditional information technology (IT) equipment; in fact, one might even argue that the traditional security paradigms we have developed for IT cannot be applied directly to the medical device space.

Certain issues lie in the nature of the problem—no doubt, it is more difficult to implement iron-clad security with always-on, high-reliability, life-sustaining systems. Traditional security approaches, which rely on a combination of antivirus and patching, are not feasible or practical. (One could argue that with today’s sophisticated threats, this approach is doubtful even in the traditional IT space; however, this topic is beyond the

scope of the current article.) Even though alternative security technologies exist for embedded systems and Internet of Things–like devices, they are not (yet) widely adopted in the medical device industry. Further, today’s complex security challenges cannot be solved by technology alone.

Reliable processes, careful handling, and security-aware users are equally important. And that means that in this day and age, anybody who uses any network-connected device, whether at home, at work, or in your hospi-tal’s clinical engineering department, needs to have a fundamental under-standing of cybersecurity. Consequently, security training for biomedical engineers is a must, and

not only because HIPAA ( Health Insurance Portability and Accountability Act) requires it [§164.308(a)(5)(i), “Security Awareness and Training”]. Because biomedical engineers make daily decisions that affect cybersecu-rity—from specifying new equipment, connecting it to the network, and maintain-ing its security posture, to the device’s end of life (EOL)—they need to be cognizant of how those decisions affect device security and ultimately patient safety.

In a world where cybercriminals are reinvesting 40% of their profits into developing new techniques, the gap between what we know about medical device vulnerabilities and the attackers’ capabilities is growing rapidly.

Q: What is searchable, bookmark-able, always up to date, and cost effective?

A: AAMI’s eSubscription for Sterilization Standards!

The Sterilization in Health Care Facilities eSubscription Collection contains AAMI’s most popular sterilization standards:

ST79: Comprehensive guide to steam sterilization

ST91: Endoscopes

ST58: Chemical sterilization and high-level disinfection

TIR34: Water for the reprocessing of medical devices

PB70: Protective barriers and apparel

And 9 more!

Individual subscriptions start at $465 for AAMI members and $665 for others.

Visit www.aami.org/store or www.aami.org/esubscription for more information or to start your subscription today!

Not an AAMI Member? Join us! http://www.aami.org/membership

Share eSubscription with your colleagues and save by getting a multiuser license.

Call Customer Service at 877-249-8226 for a quote.

© Copyright AAMI 2016. Single user license only. Copying, networking, and distribution prohibited.

382 Biomedical Instrumentation & Technology September/October 2016

Columns and Departments

Here are several examples on how human behavior can pose a security risk to medical devices:• A device returning from repair is con-

nected to the network without assessing whether it may have been infected with malware while it was out.

• A third-party service technician provides a software upgrade via a USB thumb drive of unknown provenance; it may previously have been used at other hospitals, airports, coffee shops, hotels, etc. and may contain malware.

• Clinical staff connect their personal smartphone to a device’s USB port to recharge it.

• Clinical staff use a digital X-ray system’s QC workstation to browse the web or check their personal email.

• Devices are EOL and discarded (and potentially resold or donated) without removing protected health information or enterprise network credentials.

Although technical controls could be applied to address these specific risks, human creativity beats technology many times over. In other words, while technical controls are available and necessary, we can’t possibly anticipate and plug all holes.

To make matters worse, we are facing a serious and global shortage of cybersecu-rity skills.2 It is estimated

that the current global job market for cyber-security professionals has more than 1 million openings—and rising.3

One way for organizations to offset at least part of the problem is to train other technical professionals in cybersecurity. Although dedicated experts remain sorely needed, by training their colleagues, we can distribute the workload more effectively and better prevent security crises from occurring.

A much simpler argument for broader security training is that it helps reduce security hazards and hence the resulting risks to patient safety, clinical operations, data privacy, fines and lawsuits, and reputation.

Cybersecurity training for HTM profes-sionals also builds bridges, allowing them to speak the same language as their IT peers. It can help overcome some of the traditional disconnects and differences in objectives between the two departments. (Of course, one could make the reciprocal argument that health IT professionals should also receive basic biomedical engineering training to help enhance their understanding.) In short, training also enhances communication, planning, and decision making.

In my job, I have the privilege of working with many healthcare organizations and device manufacturers. Many have built top security programs that very effectively minimize their risks and exposure. However, too many are still treating security as a secondary operational function with no clear value to the business.

The case for security training of HTM professionals also applies to medical device manufacturers. These companies have brilliant engineers who design highly reliable, safe, and effective devices that are saving countless lives, but I often find that their security awareness is not in line with today’s threat landscape and risks—both from a technical perspective and in relation to the business case for better security. But change is happening.

The sidebar (next page) sketches out the key attributes of a cybersecurity training program for HTM professionals. This outline is a work in progress, and I welcome input from organizations that have already imple-mented, or are in the process of implementing, such training. Using this outline as a starting point, we can begin the process of achieving consensus on industry best practice.

SummaryAs cybercrime has become a business con-ducted by professional gangs and one can now hire hackers or attack services, buy any type of data, or order custom malware, we need to prepare our businesses and our infrastructure so that we can safely and securely operate in an increasingly hostile environment.

We cannot delegate cybersecurity responsi-bility to a few specialists in our organization who “take care of it.” Cybersecurity has to

One way for organizations to offset at least part of the problem is to train other technical professionals in cybersecurity. Although dedicated experts remain sorely needed, by training their colleagues, we can distribute the workload more effectively and better prevent security crises from occurring.

© Copyright AAMI 2016. Single user license only. Copying, networking, and distribution prohibited.

383Biomedical Instrumentation & Technology September/October 2016

Columns and Departments

become part of an organization’s culture and everybody’s responsibility, from clinicians, to biomedical engineers, to management. Current-day cybersecurity is not a tactical function buried somewhere in IT; it is a strategic business responsibility to enable an organization to be as secure as it can be. Cybersecurity training is one of the critical components of that responsibility. Depending on their role, all employees need to be trained appropriately: clinical users so they don’t compromise devices and are able to detect unusual behavior, biomedical engineers so they can make the right technical decisions, and management so that the business supports security on a strategic level. n

References1. Gerden E. Hackers investing 40% of crime

proceeds in new criminal techniques. Available

at: www.scmagazine.com/hackers-investing-40-

of-crime-proceeds-in-new-criminal-techniques/

article/506847. Accessed August 5, 2016.

2. Hall SD. Cybersecurity skills shortage puts

networked world at risk. Available at: www.

fiercehealthcare.com/privacy-security/

cybersecurity-skills-shortage-puts-networked-

world-at-risk. Accessed August 5, 2016.

3. Morgan S. Cybersecurity job market to suffer

severe workforce shortage. Available at: www.

csoonline.com/article/2953258/it-careers/

cybersecurity-job-market-figures-2015-to-2019-

indicate-severe-workforce-shortage.html.

Accessed August 5, 2016.

Outline for an HTM Professional Cybersecurity Training Program

1. IT and security fundamentals a. Enterprise networking i. Basics (e.g., addressing, OSI model) ii. Network protocols (medical and nonmedical) iii. Wireless networks iv. Common network architectures v. Access management and authentication b. Understanding software-based medical devices (their

architecture and platforms) c. Security i. Terminology (e.g., threat, vulnerability, exploit,

risk) ii. Understanding today’s threat landscape and

malicious actors d. Risk management i. Terminology (analysis, hazard, mitigation) ii. Identifying and managing risk in a complex

environment iii. Risk management as ongoing process2. Understanding medical device cybersecurity a. History b. Impact of regulations c. Existing standards and best practices d. Privacy vs. security vs. safety i. Defining basic risk scenarios ii. Priority differences between IT and CE (C-I-A vs.

A-I-C) e. Different attack vectors (targeted, opportunistic)—

understanding the enemy f. How security incidents can impact an organization3. Cybersecurity best practices (nontechnical) a. Policies and procedures b. Procurement and contracting i. Incorporating security in procurement best

practices ii. Security in RFPs, vendor contracts, and business

associate agreements c. Roles and responsibilities d. Vendor relationships: threat and vulnerability sharing,

incident response e. Clinical user training—they are a security risk, as well as

the first line of defense4. Cybersecurity best practices (technical) a. Handling b. Network architecture and wireless security c. Life cycle and change management (e.g., patching) d. Other important aspects (e.g., portable media use) e. Threat and vulnerability management f. Incident handling and response

Current-day cybersecurity is not a tactical function buried somewhere in IT; it is a strategic business responsibility to enable an organization to be as secure as it can be.

© Copyright AAMI 2016. Single user license only. Copying, networking, and distribution prohibited.