On “One Guy’s Opinion,” Guy Baroan, founder and president of Baroan Technologies, discusses the technology world through the lens of a successful IT managed service provider.
Medical equipment is designed to help people, but according to a recent article in Wired, many pieces of equipment commonly used by medical practices are extremely easy for hackers to access. These security flaws can open the door to all types of malicious activities. With this article in mind, we wondered what our friend Guy Baroan, expert MSP and owner of IT solutions provider Baroan Technologies, does to address some of the security concerns healthcare practices have when it comes to these types of equipment. And for that matter, how much of the burden is on a managed service provider to fix these security holes, and where does the MSP role start and finish when it comes to healthcare equipment?
StorageCraft: Hospitals have a large variety of equipment, but when it comes to various pieces of equipment, where does the role of the MSP begin and end?
Guy: To answer that accurately, I’d say it really depends on the client you’re working with and what parts of the network they want you to take care of. Some clients want you to come in and provide them support for just the desktops and the servers and do some security, but most of them don’t really know you. Sometimes it takes time for them to trust you but often they eventually come to you for help with identifying network vulnerabilities they might have. If a client tells us they want assistance, we can do a network scan to detect all the threats. With HIPAA requirements today, you’ve got to identify the threats through a network scan and penetration test to identify open ports and things like that. You’ve got to uncover all these threats and find out what the challenges are. This network scan is usually what starts the conversation on where support starts and ends. It really just depends on what they want from a service provider.
StorageCraft: Medical practices have some very specialized pieces of equipment, are there things you can’t support? Is there a limit to what you can support?
Guy: Nobody can tell you that they know everything. We’re the first ones to tell you that we don’t know everything, but what we can do is work with the manufacturers to make sure that every security hole we find is resolved. If we do a security scan on the network we can find devices that are on the network that have open ports or credentials that are simply “admin.” We’ll find the devices that anybody can get into and we’ll have proof that someone can gain access. That’s when we work with the manufacturer to figure out what we can do to resolve the problem. That’s the first step. If they can’t resolve it, you really have to decide what happens if something isn’t patched. Maybe you’ve got to isolate that piece of equipment or something like that.
StorageCraft: Wired magazine recently posted an article about how easy it can be for a hacker to get into various types of healthcare equipment. They even wrote about the concern that somebody would be able to tamper with Bluetooth-enabled defibrillators to deliver random shocks to patients. There seems to be a variety of ways a hacker could attack a person physically through networked medical equipment—it’s scary stuff. Have you encountered anything like this, have you seen anybody attempt an attack on healthcare equipment?
Guy: We haven’t come across that. That’s kind of a high-level thing. It’s a risk more hospitals are becoming aware of, but still, not a lot of people are aware of it right now. The issue is that in general, we’re all fairly trusting by nature. You want to say, “We’ve built these devices and made these advances to help people in the medical industry,” but that’s not always the case.
StorageCraft: What sort of difficulties does additionally security add?
Guy: One of the challenges is that the more secure you make something, the more complex it becomes, which increases the chance that something won’t connect properly. Take a Bluetooth device for example. If you give it a strong password you’ve got to know how to enter it if the device disconnects so there’s another layer of difficulty and you can have complications. It’s sort of a “damned if you do, damned if you don’t” type of situation. You’d rather not have it secure because it makes it easier, but you can’t do that today—you’ve got to have things secure. If you’re talking about easy-to-break into devices, you’re not just talking about medical devices, you’re talking about businesses. If you’ve got routers and printers, they all have default passwords a hacker can figure out. This starts a discussion about the level of professionalism in the IT providers these businesses are hiring. Are they hiring someone because they’re online a lot or tinker with technology and think they know what they’re doing or are they getting an expert? People are going to realize that if they don’t get somebody with experience who is aware of potential security threats, they’re going to be in trouble. I mean, just imagine someone getting hurt by a hacker who got into healthcare equipment, it’s just crazy.
StorageCraft: If there’s a way in, somebody might take it.
Guy: Sure, and why not? But some people don’t do it maliciously or “just because.” Some are actually doing it to identify the vulnerabilities so they can be fixed. When there is a breach, you hope that it’s not malicious. When there’s a breach or when someone sheds light on a vulnerability, manufacturers typically do something about it. It wouldn’t be the worst in the world [if there was a vulnerability] as long as nobody gets hurt, but there’s always a risk. If the manufacturers aren’t being proactive and are only reacting to things that show up, that’s not good either.
StorageCraft: So back to HIPAA compliance for a moment. A hospital like the one Wired mentions in their article, one with all of these easily-accessible pieces of equipment, would that not be HIPAA compliant simply because of all of these devices?
Guy: One of the things that HIPAA states is that you need to identify what the risks are. There are several steps you have to take but the first is a self-assessment. This involves doing a scan for network vulnerabilities, both internally and externally. What’s great about that is it brings to light what the vulnerabilities are. As far as whether they’re HIPAA compliant or not, the first step is you need to be aware of vulnerabilities. The next step is to remediate, but if something is going to cost a million dollars to remediate and you’re a small practice, that’s not viable. You’ve got to take other steps into account, you’ve got to remediate in other means. If it’s a networked device you may need to isolate it or put it in a virtual environment or segment it on a part of the network where it’s not easy to connect to from the outside world. It’s not that these unsecure devices necessarily prevent a practice from being HIPAA compliant, it’s more a matter of how bad it is. How many people could be hurt and what are you doing to remediate the problem? You can be HIPAA compliant if you’re actively doing something about it.
StorageCraft: When it comes to security issues, how much responsibility is placed on the employees of a medical practice?
Guy: Every business should have somebody designated as its security officer. The security officer, or whoever is responsible for compliance, is the person who is in charge of making sure HIPAA requirements are being followed. This involves reviewing logs, events, finding vulnerabilities, and figuring out how to remediate them. There should be people in charge within an organization. There are processes and procedures that should be in place for employees. Employees shouldn’t be able to copy data or plug in an infected USB drive. From an employee perspective it’s not as much their responsibility as it is the managers of the office. The compliance and security officers should be identifying risks and reviewing processes, but I don’t know that the employees should be the ones that bear the responsibility. They should be following processes, but the burden shouldn’t be on them.
StorageCraft: In addition to all the security things we’ve been talking about, we’re also wondering about backups. I know most medical facilities want as much uptime as they can have, but how exactly do you achieve that? When there are so many pieces of equipment, how do they decide which are getting backed up and which need to have quick failover options in place to maximize uptime?
Guy: It depends. Some equipment talks to the network and some doesn’t. To give you an example, when we talk to medical practices about uptime we ask them what their recovery time objective is. They’ll usually say they don’t know what that means. So we explain and they say, “Well, we could be down for a few days.” Then we’ll give them this example: What if you come into your office and all your equipment is down and you’ve got patients waiting in the lobby? You’re saying you can perform business as usual while the systems are down? At what point does somebody enter in the information you gathered once the systems are back online? Do you have a system in place for that? Pads and paper? How do you look up records? That’s when their eyes open wide and they really realized that they can’t be down. That’s when we talk to them about what it takes to keep them up, which involves having redundancies in place.
If it’s a larger environment you can use virtualization with multiple nodes, a SAN with built-in fault tolerance, or multiple servers running with failover options. If it’s a smaller environment there are options for them to continue to run on a BDR unit and run a backed up image, so they may not have zero downtime, but they can keep it under a couple of hours. You have the local backup, but you might also need offsite backups that help keep data if there’s a fire or something at the office. If there is a fire at the office, how quickly would the practice be seeing patients again? It’s possible in many cases to get the office back on track within 48 hours at a rented space.
StorageCraft: As far as specialized equipment goes, they typically don’t need to be backed up because they don’t actually create data, is that right?
Guy: There are machines like X-ray machines that create data, but it’s not stored locally, it’s just stored on the network. If it’s a local machine, there are ways to back them up—it’s just a computer.
StorageCraft: So what’s the best way for a medical practice to keep on top of HIPAA?
Guy: From a service perspective, that [Wired] article is great—it has great information on the medical field. I think it’s important to really understand the difference it makes for a business that uses a professional service provider. Sure, you can use someone who can get everything networked, set up printers and shares, and so forth, but you need someone who knows what to look for and someone who can handle all of these new HIPAA regulations and changes.
Medical practices can no longer look at the lower cost managed service providers because it’s going to hurt them. They can easily end up with fines and fees that cost more than they thought they were going to save. From an industry perspective, there’s going to be a change and there will be no more, “Oh my cousin does this, let’s hire him.” These days you need to work with people who are also HIPAA compliant who can sign a business associate agreement. If you’re working with someone who isn’t HIPAA compliant, then you’re not HIPAA compliant yourself. If something happens, the practice is at fault. If the practice has a breach then they’re responsible for it. They have to notify patients that there’s been a breach. [Practices] really need to make sure they’re in compliance through the whole thing. In a medical practice you really can’t be penny wise and pound foolish. You’ve really got to work with the right companies these days.
Authors note: The thoughts and opinions offered above are merely suggestions. Be sure to consult an attorney or HIPAA professional before making any decisions related to HIPAA compliance.
Photo Credit: Ernstl via Wikimedia