Diagnosing weaknesses in healthcare BMS

Modern hospitals are laden with a complex network of machines and handheld devices. Their numbers have exploded in recent decades as new technologies have been developed and deployed for patient monitoring and treatment.

Hidden from view is the overarching system which connects all these devices and enables them to communicate with one another — known as a building management system (BMS). The BMS acts as the central nervous system of the modern hospital, managing and monitoring all the infrastructure and devices that keep it running.

As many BMS devices are connected to the internet, health delivery organisations are increasingly becoming exposed to a host of dangerous cyber threats through this entry point. Excluding government sectors, the healthcare sector reported the highest number of cybersecurity incidents during the 2021–22 financial year according to the Australian Cyber Security Centre.

BMS can put patients at risk

Patient safety does not depend solely on the individuals directly involved in health care, or the medical devices that are being used for treatment. Every healthcare facility is a smart building to some extent and therefore reliant on the BMS for a variety of functions, including securing it against unauthorised entry, detecting and suppressing fires, managing and monitoring lifts, and maintaining a safe and comfortable temperature for staff, patients and visitors.

BMS have undergone rapid digital transformation and their scope and complexity have increased greatly in recent years. They now connect and control more machines and devices than ever before and can be extremely vulnerable to compromise by nefarious cybercriminals.

The sheer scope of BMS is often not well understood, which can lead to a false sense of security and therefore impact patient safety. For example, when a California hospital had one of its cryogenic freezers fail due to a cyber-breach, vital stem cell therapies for 56 children being treated for cancer were destroyed, resulting in delayed treatments and a civil lawsuit.

In one of the worst cases of a healthcare BMS failing, the air filtration system at a children’s hospital in Seattle allowed mould spores to enter the atmosphere in operating theatres, leading to infections in patients and, in some cases, deaths. In this case, a simple issue with a HVAC system had devastating consequences for patients and their families.

There have also been several instances of elevator malfunctions at hospitals leading to serious injuries, and even deaths, as a result of the elevator not being properly monitored.

A backdoor to critical healthcare systems

BMS present two significant security problems. First, they often do not get the attention they need from security teams, who are focused on protecting the more obvious cyber targets that lie within a hospital’s traditional IT infrastructure.

Second, BMS are often connected to the networks that support business-critical IT systems and can be exploited by criminals as an easy pathway into otherwise well-protected systems.

Several of these vulnerabilities have been discovered by cybersecurity specialists and warnings issued. For example, in 2019 AusCert issued an alert about Optergy Proton, a web-based building interface device that combines building automation, energy management and facility management. It detailed multiple vulnerabilities, noting that successful exploitation could allow an attacker to achieve remote code execution and gain full system access.

While Optergy Proton is a newer product, and a software update was made available to remove the vulnerability, remediation is anything but simple with older building management systems. Many of the legacy BMS being used in hospitals today were designed when cyber attacks weren’t as frequent or as sophisticated as they are now. Connectivity and security were not front of mind when developing these systems. Remediating vulnerabilities in older BMS is challenging at the best of times and often requires considerable downtime, which is not an option in a 24/7 hospital environment.

How to boost cybersecurity

There are many tools available to help healthcare organisations better protect their BMS from cyber attacks. The best tools provide the following key functions: enhanced visibility, efficient vulnerability management and network segmentation.

Enhanced visibility

Today’s BMS comprise many different subsystems using different communication protocols. This makes monitoring what is happening in a BMS network extremely challenging. Network monitoring tools called parsers can analyse these multiple protocols and pass information to higher-level networks. They greatly simplify the task of monitoring all the traffic flowing through the network of a BMS and identifying any potential vulnerabilities.

Efficient vulnerability management

Vulnerabilities are a fact of life, in both BMS as well as OT/IT systems. While patching vulnerabilities is a necessary task, it can also cause significant disruption to critical operations by requiring operational downtime. Fortunately, tools are available that can identify vulnerabilities, inform how critical each one is and essentially triage them by prioritising the most critical vulnerabilities and balancing this with how much disruption it would cause to fix them.

Network segmentation

In a healthcare facility, connectivity does not need to be universal: in other words, every machine or device does not require connection to everything else. Network segmentation restricts communication between all systems and devices to only those that require it. Security tools are available to facilitate this often-complex task of segmenting the networks and can ensure that a compromise of one system does not give the attacker access to others. These tools can monitor all network traffic to first establish a pattern of normal behaviour and then raise the alarm when there is any deviation from this norm, which could indicate an attack.

The takeaway

Building management systems are the backbone of modern hospitals. They are directly responsible for securing and monitoring the infrastructure, resources and environment within a healthcare facility, yet they are often overlooked by cybersecurity teams as a weak spot. This can have serious implications, including the loss of highly sensitive data, or worse, impacts on patient safety.

While addressing the security weaknesses in BMS is a difficult task for many healthcare providers, maintaining patient access to medical services and safety is of far greater importance. Healthcare organisations must adopt a proactive approach to this risk, including implementing tools that enhance visibility, efficiently manage vulnerabilities and allow for network segmentation. This will not only secure their facility, but also help ensure patient safety and build deeper confidence in the healthcare system.

Image credit: iStockphoto.com/oonal