In April and May, the country fearfully watched COVID-19 cases spike in the Northeast, especially in New York, and hoped that the surge would be contained and not spread to other states. Unfortunately, that hasn’t proven to be the case. Every day, we wake to more headlines of cases rising across other states and hospitals reaching maximum capacity in their ICUs. And with this surge of patients comes a related surge of medical devices being added to the hospital network to meet patient needs. It is not only the doctors and nurses being overwhelmed, but the IT teams at these affected hospitals. When new devices are added to the network, they can open up a backdoor for cybercriminals lurking in the wings and in the process, leave IT to scramble to keep every device – and every patient connected to them – protected.
The reason for the rush is simple. Since the pandemic started earlier this year, there has been a demonstrable spike in the number of healthcare cyberattacks. We’ve heard from a Justice Department official that healthcare researchers and the industry are being targeted for valuable research information. Other research by Bitdefender finds that ransomware attacks spiked in February, March, and April and that hospitals experienced a 60 percent increase in cyberattacks in March over February. All of this research points to the clear fact: cybercriminals are aiming to take advantage of the uncertainty and high stress environments caused by COVID-19, and specifically, looking to exploit the healthcare institutions who are so desperately focused on patient care.
However, just as many doctors, nurses and hospital administrators looked to their counterparts in New York and the Northeast for advice on how to deal with patient spikes, the same holds true for those in the IT department who helped to build a sustainable and secure network to fend off attackers and keep their critical medical devices online. By looking at these hospitals – and the resulting mad scramble and actions they took to protect their patients – there are four lessons that can be distilled to help those in the thick of a spike or for those planning for the next surge.
One of the most crucial lessons learned was knowing where each medical device was and its availability through the first surge. Rather than scrambling to purchase new equipment or try to borrow from another office or hospital campus, an automated inventory process tracks each device and its current use. And this process helps even when there is no pandemic as it facilities capital planning, management and purchasing.
Additionally, an automated inventory system provides IT with increased visibility into what devices are connected to the hospital network along with its related security posture. From there, if there is a security risk from a particular device, it can be easily located and remediated.
When it comes to keeping a network secure, it is imperative to stay on top of all aspects. However, with a pandemic, resources are going to be strained. So rather than tackling all issues – big and small – IT found it easier to prioritize each risk. It is more important to ensure that the automated inventory process is working smoothly than implementing a patch on a device not in heavy use. There is a greater likelihood of devices being added where IT may not be informed about than not during these harried times which the inventory process will find. From there, IT can determine the security parameters of a device and if anything needs to be handled immediately.
With everything going on, there is not time to implement patches or upgrades on a case by case basis. Rather, the detailed knowledge of the device gained through the inventory assessment will let you know if you can implement any upgrades at once to several devices or even help in prioritizing which have the bigger security vulnerabilities than others. IT can implement a plan to handle patches if, and as, they become available based on the level of significance. This plan will assist in streamlining upgrades and other security work that could potentially wait until later when the pace slows.
It is more than tracking a device on the network. Measurement of how it is being used is critical too. A hospital doesn’t need a device using bandwidth on its network unless it is necessary. For instance, ventilators in the ICU would be given a higher preference of a connected device over a blood pressure cuff in an exam room. Additionally, by measuring utilization, IT can determine a baseline for a device’s behavior to understand if something changes and remediate any issues as they come up.
Medical IoT device security is an essential part of the healthcare security to thwart cyber criminals at any time, regardless of the pandemic. With effective planning and automation processes, IT can keep the network safe without drowning in requests and working around the clock. When it comes to the COVID-19 there are still many unanswered questions and much to learn, but by following the above four steps, hospitals and healthcare organizations in the midst of a pandemic surge – and even those planning for the next stage – can streamline their IT efforts to ensure patient safety.