Governance & Risk Management , Healthcare , Incident & Breach Response
Alleged HVAC Hack Shines Spotlight on OT Risks to HealthcareHVAC Vendor Incident Said to Affect Its Boston Hospital Clients
A hacking incident that reportedly targeted a Massachusetts-based vendor that provides HVAC systems to several Boston-area hospitals and others shines a spotlight on the growing cybersecurity risks involving IoT devices and OT equipment.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The blog DataBreaches.net reported Wednesday that it had recently been contacted by a threat actor who claimed to have hacked an HVAC vendor and remotely accessed systems at its clients, including Boston Children's Hospital.
The blog identified the hacked HVAC vendor as ENE Systems in Canton, Massachusetts. ENE Systems on its website touts a number of customers across several industries, including three Boston-area, Harvard-affiliated hospitals - Boston Children’s Hospital, Brigham & Women’s Hospital and Massachusetts General Hospital.
As evidence of the hacking incident, the threat actor provided DataBreaches.net with screenshots of schematics and wiring schemes the hacker claimed were taken at Children's Hospital and captured from within ENE Systems.
"Some were for specific floors of the hospital, and the threat actor claimed to have a diagram for every floor of the hospital. The screencaps raised concerns about whether the threat actor could shut off BCH’s alarm systems and start tampering with the HVAC settings," DataBreaches.net reports.
The threat actor tried to extort the vendor to pay a fee, and "claimed that the vendor knew that they had been breached as there had been communications about the breach and extortion demand," DataBreaches.net reports.
ENE Systems did not immediately responded to Information Security Media Group's request for comment about the incident.
Boston Children's Hospital in a statement to ISMG says: "One of the hospital’s vendors had a security compromise to its network environment. There is no risk to either hospital operations or business operations as a result of this incident, and no patient information was affected. The hospital is working closely with the vendor to remediate the issue and ensure all the necessary controls are in place."
Massachusetts General Hospital said in a statement to ISMG: "The hospital was made aware of potential cyber security issues involving one of its vendors. Once notified, immediate action was taken to follow appropriate guidance to mitigate the risk. Hospital systems and operations remain unaffected by this incident."
Brigham & Women's Hospital tells ISMG: "The hospital has not been notified about any issues with ENE Systems at the Brigham. We continuously monitor our environment and appropriately respond to any credible cybersecurity threat."
Call to Action
Perhaps the most high-profile incident involving an HVAC hack was the 2013 Target breach, which resulted in 41 million customers' payment card details being compromised and contact information for more than 60 million customers being exposed.
In that incident, investigators say attackers accessed Target's gateway server through credentials stolen from a third-party HVAC vendor.
But in healthcare, the risks posed by IoT and OT hacks are potentially more dangerous, some experts warn.
"It is critical that organizations keep in mind that OT devices in healthcare are not just about keeping people comfortable or making building management a smoother process," says Chris Frenz, assistant vice president of IT security at Mount Sinai South Nassau, a hospital on Long Island, New York. "Many of these OT devices used for building management have patient safety aspects to them as well."
For example, operating rooms must be kept at a certain temperature and humidity to help control the growth of bacteria and prevent static discharge, which can cause critical surgical devices to fail, he says. Also, isolation rooms need to be maintained at certain pressures to control the risk of infectious diseases spreading, he notes.
"Failures of any of the OT devices that control these functions, as well as many others, will have impacts on patient care and, as such, it is critical that hospitals take measures to secure their OT devices to prevent them from becoming compromised or rendered unusable during a cyberattack," Frenz says.
Complex Connected Devices
Former healthcare CIO David Finn, executive vice president at consulting firm CynergisTek, offers a similar assessment. "Healthcare is 24/7, and these facilities must maintain temperature, pressurization, humidity, lighting, life safety and security while meeting the comfort and safety needs of patients," he says.
"There is no sector where the impacts of OT are drawn into sharper focus than in healthcare with biomedical devices, where the impacts aren’t just slowed processes or hot rooms but may result directly in injury or death to a patient."
As industrial systems become more connected, they become more exposed to vulnerabilities, threats and attacks - and still have access to the rest of the production network, he notes.
"Add legacy equipment, like medical devices, where regulations or limitations on the device itself may prohibit modifications being made to the equipment, and you have quite a challenge on your hands."
The alleged incident involving ENE Systems and the variety of other supply chain incidents that have been seen over the last year also highlight the importance of organizations developing and implementing a third-party risk management program so they can properly assess and verify the security postures of the vendors they use, Frenz adds.
"Organizations need to begin to consider incorporating business partner risks into their purchasing decisions and contract renewal decisions and be open to evaluating other options if the information security risk is deemed too great," he says.
"Moreover, organizations need to begin to ensure that contract language is specified in business partner agreements which spells out who is responsible for what in terms of security, security SLAs and other minimum security requirements."
The apparent ENE Systems incident also illustrates the need to design network and security architectures with the mindset that any device has the potential to be compromised at any time, according to Frenz.
"No system can ever be made 100% secure, and there will be the eventual compromise of an endpoint or other system on your network. I’m a firm believer in taking a "zero trust" approach to security, whereby no system on a network is considered trusted and communications between systems is only possible where explicitly needed," he says.
"While such an architecture is not a panacea for all security needs, when used as part of a defense-in-depth security strategy, it can help to limit the ability of an attacker to move laterally through the organization and help to keep an incident contained. A compromised HVAC controller should not readily allow an attacker to access the EHR or other critical systems and a zero trust approach helps to ensure this."
Managing All Devices
A comprehensive security strategy must encompass all managed, unmanaged or industrial IoT devices in the enterprise - from the bedside to the executive suite, Finn says.
That's because "in an interconnected environment, you can’t secure OT until you secure IT. The security platform should work for all industrial control systems and other kinds of devices common to the enterprise, such as HVAC systems, IP security cameras, fire alarm systems, building access management systems, switches, firewalls, wireless access points, printers and more."
Organizations also must be able to directly monitor all communication pathways that could be used in a cyberattack, including Ethernet, Wi-Fi, Bluetooth, BLE and possibly other wireless protocols, such as Zigbee - depending on an environment and plans, Finn says.
"Wireless coverage is important because attackers can exploit vulnerabilities such as BlueBorne, KRACK and Broadpwn to compromise OT devices wirelessly, without any user interaction."