Disabling Hospital HVAC Is Now a Bargaining Chip in Ransomware

Most of the Building Management Systems (BMS) and Building Automation Systems (BAS) used in healthcare facilities were designed in the 1990s or early 2000s when cybersecurity wasn’t a big issue. These systems control and monitor a hospital’s lighting, heating and cooling, elevator operation and much more.

A recent study revealed that 75% of BMS — many of them deployed in healthcare — have known exploited vulnerabilities (KEVs). In addition, more than half of those systems are insecurely connected to the Internet and have KEVs linked to ransomware.

While BMS are seldom the “front door” in cyberattacks, they can be compromised when an intruder infiltrates via a phishing email and then moves laterally. So far, most of the cyberattacks involving BMS have been in the hospitality field. Both MGM Resorts and Omni Hotels have had incidents. At Omni, an attack disabled room key systems and data was reportedly stolen from about 3.5 million guests.

It’s only a matter of time until hospital BMS are in the crosshairs. Bad actors today will do just about anything to gain leverage over a healthcare facility. Shutting down a hospital’s heating and cooling system would be a patient safety disaster, especially in places like Fairbanks, Alaska (average winter temperature -4°F) and Phoenix (which last year had 113 consecutive days exceeding 100°F).

Such attacks could wreak havoc on the precise temperature and humidity controls in operating rooms and ICUs. Moreover, a hospital’s isolation rooms maintain specific air pressures to contain diseases — and disabling the controls could lead to a serious spread of infection.

Hackers could also bring down a hospital’s backup generators and uninterruptible power supply (UPS) devices. Most UPS systems are vulnerable to external SNMP commands that can shut them down completely.

If you think that hospital BMS are safe from intruders, consider this stark fact: Johnson Controls, one of the nation’s largest BMS providers, was itself hit with ransomware two years ago. The Dark Angels ransomware group breached the company and stole a reported 27 terabytes of data leading to $27 million in downtime/remediation costs.

Hospital BMS Often Siloed

A building management system is often managed remotely by a third-party company that’s primarily concerned with visibility, not security. Their team is looking for “flashing lights” that indicate that a boiler has shut down or an elevator system isn’t working properly. Even if HVAC and lighting are managed locally, the operations team often isn’t an integral part of the IT security staff.

In most hospital settings, the building management system isn’t tied into the main network that gets 24/7 cybersecurity monitoring. It’s not a hardened part of the system, which means that it’s bait for bad actors.

Strengthening Security In Hospital Maintenance Systems

Here are some suggestions for how to improve security, both in BMS and locally managed hospital maintenance systems:

• Device inventory: Create a list of all network-accessible HVAC devices and lighting systems — and monitor them for any suspicious activity.
• Safeguard remote access: Require VPNs for remote access and rely on multi-factor authentication (MFA).
• Continuously patch building maintenance software: Make sure that all BMS and HVAC software and operating systems are patched regularly.
• Vet both new and existing vendors: Conduct a thorough evaluation of current and prospective vendors of BMS and HVAC products and the contractors they use.

Ransomware incidents already do serious reputational damage to hospitals, but it can get even worse. It’s one thing to have patients’ Social Security numbers stolen, but it’s profoundly worse to lose a loved one because a heating system gets disabled. With a little foresight, that won’t happen at your facility.