Medical Construction & Design (MCD) is the industry's leading source for news and information and reaches all disciplines involved in the healthcare construction and design process.
Issue link: https://mcdmag.epubxp.com/i/677235
While construction of new healthcare facilities has skyrocketed in the last decade, most campuses consist of a combination of new and legacy build- ings that have grown piecemeal over time to accommodate the needs of a growing care population. As a result, the control systems that manage building functions are often cobbled together without the latest security challenges in mind. Standalone or multi-system networks supporting electronic medical records, clinical engineering, medical imaging, building controls and more, likely have varying security needs and capabilities and yet are attempting to work together for operational ef ciency. The more these systems are connected, the more chan- nels there are for potential attack. In light of recent headlines about a hospital being held "cyber hostage" and the hacking of medical devices such as infusion pumps, pacemakers or imaging systems igniting a fl urry of interest in cyber secu- rity, how can today's facilities prudently prevent attacks from those near and far to keep personnel, equipment and data safe? The fi rst step in good cyber defense is understanding and improving the current security of ense. Before making knee- jerk reactions to remedy perceived risks, take a step back and develop a methodi- cal approach to ensure security solutions are not only ef ective, but also reasonable and justifi able. By working through the following fi ve-step process, it's possible to develop a comprehensive security plan that considers all the risks in a meaningful way. Step 1: Complete a building systems survey First, it's important to know exactly what systems the organization is using and how they communicate with each other, the outside world and the internet. This process of documenting and diagramming systems is called a building systems survey. The survey should identify the elec- tronic components of the healthcare building's control systems, such as mechanical, electrical and plumbing, security, entertainment, visitor manage- ment, fi re alarm and elevator control systems, as well as all the components of the medical system networks such as EMR servers, networked medical de- vices and patient monitoring systems. The survey also needs to identify how the systems talk to one another and to external components — the location where they are most vulnerable to cyber attack. For example, a hacker may attempt to compromise an infusion pump system in order to use it as a vector to gain access to other systems, such as electronic medi- cal records and other hospital or patient data. In the well-known Target credit card theft, hackers initially gained access through the retailer's work order system and from there to the company's network where credit card transactions were stored. Knowing what systems exist and how they work together gives the facility owner/ operator the bird's eye view needed to implement prudent security measures. Step 2: Identify what needs to be protected Determine what parts of the organiza- tion are likely to be attacked. Is the building itself a target? Are there pa- tients that may be specifi c targets? What about equipment, medications, medi- cal records or payment information? Healthcare facilities are complex build- ings with a variety of public and private areas each requiring varying levels of pro- tection. Certain medications and materials are regulated as controlled substances. Other equipment or items may have a high value because of their cost or criticality to operations. Other items, such as data, have a high value to cyber attackers. Evaluating and prioritizing the elements that have the most value to the organization will help BEYOND THE CARD The importance of prudent cyber security for healthcare facility control systems BY COLEMAN L. WOLF DETERMINING RISK: Where should resources be focused? Vulnerability to cyber attack can occur at multiple levels within an organization. To determine your organization's total risk of at- tack — and pinpoint where you should focus your security resources — you must analyze how likely an event is to occur, the effective- ness of security measures and the extent of impact that event will have on business. The following steps complete this analysis: 1. Assign values for likelihood, effective- ness and impact 2. Calculate risk based on those values 3. Rank results and prioritize risks 4. Consider each proposed mitigation strategy or measure to be implemented 5. Recalculate risk with each proposed strategy/measure 6. Assess which strategy/measure yields the best improvement 7. Weigh improvement versus implementa- tion cost for each strategy/measure 8. Prioritize improvements based on budget, schedule and organizational importance 48 Medical Construction & Design | M AY/ J U N E 2016 | MCDM AG.COM