Protected by Design: Healthcare IT and System Security

Back To Articles

August 20, 2021



Imagine walking into a cath lab that was so humid; the walls were literally dripping with moisture. The issue was a device that regulated the humidity of a cath lab through a dampener had failed. This failure caused increased humidity within the procedure room, and the walls were dripping with moisture.

The downstream effect was a shutdown of the imaging system, a bi-plane, and a stopping of clinical services. This bi-plane has humidity sensors within the system that will shut down to protect itself when a particular humidity level is reached. This failure was not caused by a cybersecurity infiltration but could be used as an example of a threat that could happen.

Many of these systems are IP-based. The devices that open/close valves, switches, dampeners, sprinkler heads, temperature control, and many other devices will each be assigned an IP and MAC address and can be controlled from a workstation on the hospital network or, in some cases, remotely. These devices are located on the hospital backbone, on the wireless infrastructure, or within a private network.

On one level, this wasn’t a particularly worrisome situation. Being the product of a simple system glitch, the problem was solved easily enough. On another level, it was especially concerning: It exposed how a cybersecurity infiltration could cause chaos in a healthcare facility.

Imagine if an individual managed to penetrate the hospital’s internal network and accessed the building automation system, an entire facility could be shut down, lives endangered, and revenue lost.

A high-tech environment

Hospitals have become increasingly reliant on technology, with countless systems linked in various ways. These connected high-tech systems have made the work of healing more efficient and effective, but they also have created vulnerabilities. After all, any technology can fail, and any system can be hacked. That’s why it’s essential to be prepared and protected, making system integrity a top priority.

When discussing these systems, divide them into two subsets: infrastructure, and medical and information systems.

“Infrastructure” refers to the services necessary to support a healthcare facility’s medical and IT systems: electricity, water, gases, heating and cooling, steam and building automation. Many of these systems rely on the IT infrastructure – a facility’s technology “backbone” – to operate, and many are IP-based, which means they are assigned individual IP and MAC addresses that allow them to be controlled from a workstation on the hospital network or, in some cases, remotely.

“Medical and information systems” include those devices that support life, facilitate clinical decisions and/or guide treatment. These days most of these also are part of the IT system, whether they reside on that hospital backbone or on a private network that interacts with other systems through the backbone.

Medical devices range in sophistication and clinical uses, but most are vulnerable to both internal and external threats. There are many points of entry, including the devices and systems wireless and wired capabilities, Bluetooth, RS-232, and USB ports. Wireless devices are associated with an SSID or WIFI name, and if not secure, can be viewed easily, and access can be obtained by anyone within the facility with the correct credentials.

Securing infrastructure and medical systems

The key to preventing a penetration of the infrastructure and medical systems is a robust risk assessment program that identifies the systems and associated risks, designates an administrator and their responsibilities, provides remediation to resolve risks, and accepts or rejects associated risks. The program also would include the creation of a business-continuity plan, which outlines how clinical or non-clinical services will be maintained during an outage, and a disaster-recovery plan, which describes the steps that would be taken to recover a system that is non-operational.

Securing these systems can be a complex process with multiple steps. Key actions include the following:

  • Perform a risk assessment prior to vendor selections.
  • Identify internal and external threats.
  • Outline security policies based on risk assessment, vendor recommendations and health system requirements.
  • Place the system on a private network and utilize unified threat management and next-generation firewalls for access outside of the network.
  • Effectively manage the firewall and allow only essential applications, service and ports.
  • Assign a system administrator who will provide system security and actively manage access.
  • Limit user access based on needs.
  • Block any non-essential USB ports.
  • Turn off non-essential wireless capabilities, including any available Bluetooth.
  • Require vendor credentialing and monitor vendor access to systems.
  • Document system information and changes.
  • Create business-continuity and disaster-recovery plans.
  • Patch and update software on a regular basis, making sure downtime does not affect clinician and patient needs.
  • Follow vendor-recommended methods to secure devices and system unless the recommendations would clinically change the way a device operates or and does not interrupt the clinical process.
Security by design

My experience working both for a health system and a design firm has highlighted for me the need to address cybersecurity and risk assessments during a facility’s design phase. While a healthcare system certainly can take steps at any time to secure systems that support life, infrastructure and personal and financial data, the easiest and most effective time for action is before a facility’s doors open.

Step one in this process is the technology assessment. During this part of the project, the design team should obtain the vendor standards and learn which service line supports the medical equipment, software, hardware (servers, routers, switches, wireless infrastructure, etc.) and facility infrastructure.

This is also the time to identify a system-security vendor, allowing that vendor to participate in creating the security system as the facility takes shape. Key factors to consider in that process include how the vendor supports a robust cybersecurity program, whether the vendor includes regular, free software updates and patches, whether the operating system is Microsoft or Linux-based, and how system administration is supported, and at what costs. Be aware that most vendors will offer software maintenance agreements, expensive contracts that secure only the system itself and do not consider other factors.

Obviously, the vendor plays a key role, and failing to vet the vendor security offerings could be costly in terms of increased operational costs, expensive support agreements, legal costs in the event of a system breach, a subpar patient experience and more.

Leadership must be onboard

Each health system will have its own unique challenges with implementation of systems security. Regardless of these individual differences, however, one thing is essential: Leadership must be onboard, championing the philosophy that a secure facility is the responsibility of the entire staff, and recognizing that a robust cybersecurity program requires a commitment of human and financial resources. Leaders also should accept that these resources will be considered in the annual budget cycle, and that the facility should have a working plan for how these funds will be allocated, considering factors that include additional employees, resource redeployment, cross-departmental support, capital investments, maintenance agreements, consulting services, and education and training.


These days, technology is essential to virtually every workplace, and therefore every workplace could be crippled by a system breach. But a breach in a healthcare facility literally could be a matter of life and death. That’s why security must be a key consideration, even before a facility takes shape. After all, if drippy walls can bring hospital systems to a halt, imagine what a devious hacker could do.

Connect with Michael on LinkedIn to continue the conversation, here.