News, Insights, and more on Industrial IoT
Today, cybersecurity is one of the largest issues facing industries and the global population. It is the threat that cannot be ignored, and yet it is one of the most commonly neglected areas in modern business. Whether this is due to leaders being intimidated by the task at hand or the hope that their business will escape the notice of those with malicious intent, iall business leaders must understand one thing:
Everyone is vulnerable.
Cybersecurity threats come in various forms, but being aware of the top threats can allow those in charge to ensure that they are foundationally protected. For the modern-day healthcare industry professional, we have listed below the top five most pressing cybersecurity threats to be aware of and to protect yourself against.
The Building Management Systems (BMS) industry is rapidly growing, with projected profits of $20 billion by next year according to a report by Business Wire. The healthcare industry has made use of these systems as a way to safeguard patients and staff in hospitals and reduce energy costs. But what exactly are these systems and how are they used in practice?
Also called a building automation system, a building management system allows for the monitoring and control of the technical systems and services through a microprocessing controller network. These services include things like the air conditioning system, lighting, ventilation, and hydraulics. The uses can span further into security and access, power and lighting, controlling elevators and escalators, all the way down to Smartboards.
Knowing this, it is clear why these systems are appealing. It is no secret that building operators struggle to maintain high energy bills while also balancing the need for greener alternatives. Knowing how a building performs can allow for preventative maintenance, to stay ahead of the game when it comes to facilities management and ensure that downtime, which is not an option for healthcare critical infrastructure, can be avoided.
BMS are seen as a way to save resources, reduce energy costs, and work towards sustainability goals. Hospitals are not the only utilizers of BMS in healthcare; they are also used by shared practice offices, spas, even smaller clinics.
In 2019, the health sector was named as the highest targeted sector by hackers, accounting for a shocking 45% of total data breaches. In that year alone, 382 data breaches left a cost behind in the healthcare industry of $2.45 billion, an increase of 5.14% from 2018.
While Building Management Systems do allow for greater control and a deeper knowledge of the building in question, they can also be a target for cybersecurity threats. So much so, in fact, that the FBI released an official warning in 2018 regarding the vulnerabilities these systems can open the industry up to. Cybersecurity in healthcare is not a topic to be taken lightly, as so much of the data gathered in the industry is highly protected.
Data breaches can put healthcare building management systems at risk.
Patient data is obviously the first issue that comes to mind when it comes to the type of data that can be compromised. An open port in a BMS, vulnerable network makeup, or a weak firewall can expose patient data to hackers, whose methods have become increasingly more cultivated and focused in recent years. Consider the information provided by patients to healthcare service providers, which can often include but is not limited to biometric data, credit card information, and patient history.
Equipment control is another area that can be compromised by these types of threats. How a building is kept up and how its facilities run have a massive impact on patients. Imagine the consequences of a hacker being able to affect the air quality, HVAC system, or plumbing? Further, what if an MRI were interfered with, or a surgical tool, or a patient monitoring system?
Cybersecurity breaches are not a new issue, nor are they so rare that they should not be taken very seriously. Just in 2013, Target, the retail giant, was the victim of a massive breach leading to the exposed financial records of approximately 110 million of its customers. The hackers were able to access this information through Target’s own BMS system.
Google’s Australia office was also the victim of a hacked BMS. A patch created by its BMS platform to address a known security vulnerability was somehow not applied to the control system at Google’s Sydney office. Fortunately, the vulnerability was discovered by whitehat hackers. While they reported being able to access buttons labeled “alarm console”, “active overrides”, “BMS Key”, and “AfterHours Button”, they did not disrupt the system, instead reporting the issue to Google.
The Google story illustrates how appalling the consequences of a breach can be, but what about the specific risks for the healthcare industry?
Equipment downtime is one of the risks with arguably the worst possible fallout. Healthcare is a high-stakes industry, where the sudden loss of a piece of equipment could have fatal and lasting consequences. For this reason, equipment downtime cannot be considered an option at all in healthcare buildings.
Occupancy safety is another concern. If systems do not operate properly, even the smallest consideration such as the air being breathed by patients can cause harm. Poor ventilation and increased humidity and temperature in a patient’s room can increase bacteria growth, allow diseases to spread more rapidly, and harm an already suffering patient.
Patient health cannot be adequately managed if major elements of the building are breached or vulnerable. As a healthcare service provider, this is a critical issue that needs attention and protection.
In the healthcare industry, every piece is a part of a greater and more critical whole. The health and safety of patients must be protected against these threats. In recent years, five threats in specific have been noted to be particularly dangerous to this industry.
This is perhaps the most well-known cybersecurity issue because it is so widespread. Every employee, staff member, and provider with a password can be the cause of an open vulnerability in the larger system.
Poor password management is a major security threat, whether that be from employees choosing weak passwords, reusing passwords, or losing their passwords. In healthcare, when a password is needed, many employees will simply save the password even on a computer that is widely used rather than logging in and out.
In August of 2019, a government scandal shocked Australia when it was found that 1500 government officials were using “password123” as their password. Further, as a way to bypass security, every government-related system could be logged into with the password “Sumer123”.
At times, facility managers reuse the same username and password that the previous manager used, opening up the systems to risk. Security company WatchGuard out of Seattle found that approximately 50% of .GOV and .MIL email addresses could be cracked within a few hours due to weak passwords such as “password”, “123456”, and “linkedin”.
One of the most common web hacking techniques is SQL injection, which is when a hacker maliciously injects code into a database in order to access a system or data.
The most notable example of this in the healthcare industry was the ransomware attack in 2017 involving the ransomware, WannaCry, which started off in Europe but eventually spread across the world until it affected over 100,000 targeted healthcare organizations in 150 countries. This attack prevented treatment for a huge number of UK citizens after it breached their National Health Service (NHS). The damage later spread to digital billboards, universities, and train station monitors.
Open port is the phrase used to describe a port number that is configured to accept connections or packets (a formatted unit of data). Closed ports either reject the connections or ignore packets that are sent its way, securing your system as a whole.
If open ports are not secured, the network is exposed to hackers. In BMS, a port used to communicate with the controls in the buildings could allow someone with ill intent to access devices and systems.
One significant example is port 1911, an open port used by Tridium’s Niagara framework, which exposed thousands of BMS systems to the internet, creating a frictionless path for hackers to exploit.
SQL injection and open ports are common ways that hackers exploit healthcare facilities
Unfortunately, one of the largest factors to consider when looking at the highest probability cybersecurity threats comes from the inside of an organization. Employees and contractors were found to be the number one cause of data breaches, through a user willfully causing harm, simply being negligent, or accidentally creating a vulnerability by following a phishing attempt or opening up harmful software.
At Coca-Cola, a former employee walked away with secure company information backed up onto a personal hard drive.
An IBM employee tried to sell the company’s software source code in China… to undercover FBI agents.
It’s not always malicious, either. In 2014, as many as 70 million names, phone numbers/email addresses, and physical addresses were compromised in Target’s system when a third-party employee mistakenly clicked on a phishing email.
Technology is ever-changing, it only takes looking at how quickly we’ve gone from the iPhone 5 to the iPhone 11 and what that jump looks like to see that. As in the Google Sydney example above, the price of an out of date software can be catastrophic.
Health companies have been found to make use of hundreds, even thousands of legacy applications and systems. Knowing that it’s no wonder that the industry is so plagued by hacking attempts. The older a system is, the more frequently it will break, the harder it is to patch, and thus the easier it is to exploit.
BMS can be valuable systems to help facilities managers reduce costs and optimize patient care, but they don’t come without tradeoffs, especially in the form of cybersecurity threats. Facilities executives looking to shore up against these threats can look at augmenting or replacing BMS with more robust solutions. With new technological advances, facilities teams have more options than ever.
As a healthcare industry professional, it is critical to be aware of these most common, most threatening cybersecurity dangers that lurk the industry, probing for a vulnerability wherever one can be found. Only by being forewarned can we then be forearmed.
Have a Question?