Cyber-attackers will have weaponized operational technology (OT) environments to harm or kill humans in the next few years.
Gartner recently published an eye-popping opinion piece, one that got me thinking about the many issues facing Healthcare Delivery Organizations (HDOs).
Sometimes it is easy to point to the problems and not offer any helpful information on how to solve the challenge. I appreciated Gartner’s concise summation of the issue and clear action steps to help remediate the problem. If you have not read their opinion, you can find it here.
Although the majority of reported cyber-attacks previously in Southeast Asia focused on data breaches, such as the infamous attack on SingHealth’s specialist outpatient clinics in 2018, in recent years there have been other, more nefarious intrusions.
Most recently, in August 2021, Tokio Marine’s Singapore unit was hit by ransomware, and soon after that news broke out that potentially state-sponsored cyber-attacks have been targeting both public and private sector actors throughout Southeast Asia, affecting Thailand, Vietnam, Myanmar, the Philippines, Laos, Cambodia, Singapore, Malaysia and Indonesia.
Gartner alarmingly claims that bad actors will do worse in the near future, and are predicted to weaponize OT to seriously harm or even kill someone in the next few years. While OT exists in many different industries, with highly variable levels of complexity, the threat to Healthcare from this claim is immediately understood, as patients come to our HDOs for care in their time of need.
Healthcare is uniquely challenged with OT and the Internet of Medical Things (IoMT), as so many of these devices are directly involved in patient care. Having an IV Pump weaponized is unthinkable, so we must do everything necessary to prevent this. In addition to the devices, organizational complexity also creates an environment that makes a device security strategy hard to implement. The primary difficulties are the siloed operations responsible for isolated portions of IoMT & OT security and the myriad of devices that connect to the HDO network.
It is an emotional headline to read that someone may be seriously hurt or killed because of an attack on OT or IoMT, and it demands readers pay attention, which I certainly did! I kept coming back to a singular thought; this cannot happen on our watch.
As I processed Gartner’s opinion and valuable recommendations, I found myself thinking about why Medigate exists as a company, how we partner with our customers to solve many of the challenges that Gartner outlines, and future steps we must take to prevent this from happening in healthcare.
Medigate exists to be a verticalized platform that orchestrates and augments an HDO’s entire security program. We solely focus on the Medical IoT & OT space since our inception, and we have helped a rapidly growing number of HDOs with this process, learning many valuable insights along the way.
Proper security involves the right people, processes and technology, and there is no singular product that will alone make a system secure after deployment. While Medigate brings much value to Healthcare IT, Security, and Clinical Engineering, it is the challenge of bringing these groups together that separates those HDOs that are committed to solving this challenge from those that are chaotically attempting to secure their environment.
In this way, Gartner’s recommendations are valuable since they help guide an organization’s strategic framework for OT & IoMT, so I want to comment on four of them:
Defining roles and responsibilities: Every great strategy implementation starts with the groups responsible for execution understanding how they all fit together. In this way, HDOs’ internal groups must find ways to work cross-functionally to prevent adverse outcomes from OT & IoMT deployments. Each group within the HDO brings a valuable level of expertise, so as long as the common goal is clearly defined, the wider cross-functional group can effectively work together.
Have an up-to-date asset inventory: Before you can secure it, you must know it is connected to the network! Asset inventory in healthcare is a challenge, but it is not impossible, even with a wide variety of unique devices.
Establish proper network segmentation: Once the devices are known and visible, the hard work of network segmentation can begin, so each connected device and thing can utilize only allowed network resources and be prevented from all others. While not easy, this is one of the best tools against the threat Gartner describes.
Formal patching process: Once issues are known for devices and things, they must be patched and updated as fast as possible. With Medigate Labs, we consistently monitor the major medical device manufacturers for critical vulnerabilities and the broader threat landscape to ensure we advise our customers of any known issues they should remediate. Patching is simplified if the HDO can know what devices are affected by a problem and where they are in the facility.
As I said earlier, the opinion piece from Gartner got my mind moving. The overwhelming thought is that we cannot allow this outcome – namely harm to a person – to occur in our HDOs because of our OT & IoMT strategy.