How does hospital IT security compare to industrial automation control system security? Let's take a look.
When choosing security best-practices for writing the medical device security standard IEC 81001-5-1:2021, we the authors often looked at different disciplines and couldn’t help considering the IEC 62443 series as the main source of input. In fact, we even created a mapping that shows coverage between IEC 62443-4-1 and IEC 81001-5-1.
From a somewhat abstract perspective, we found several similarities when it comes to hospital IT security comparing to plant automation security:
- Machine life-times are way longer than in the world of consumer electronics and enterprise ICT: Medical devices often include precious and reliable hardware components, such that users typically wish to use medical devices for many years
- Networks in hospitals are segmented and to some extent reflect the organization (not to say: the “workflow”) of the hospital
- Availability of medical devices is the primary concern besides integrity and confidentiality, so the “CIA” triad rather reads “AIC” as safety is one of the key properties. Means: hastily installing the hottest security fix without looking at the performance/functionality impact is not always the best idea
- The need to support legacy protocols and no or outdated authentication and access control mechanisms for interoperability reasons
- Most medical devices cannot be patched or changed by the hospital, they are under tight (remote) control of the supplier or a qualified third-party service provider
- Site-specific programming: Medical devices—or more precisely: their integration connectors into hospital IT networks—seem to be the favorite playground for IT admins, medical researchers, medical tech experts and device service staff. Means: 1. The adventure-filled tales of experienced service staff on what they see users can do with a networked device has little in common of what the designers thought it is good for. 2. When manufacturers do IT risk management for their device, the scope of what they must include as a “reasonably foreseeable” scenario, is often stretched to the limits of imagination.
Sound familiar? Welcome to the world of Operational Technology (OT)—which provides reliable services and brings life to most critical infrastructures—but is mostly hidden from the eyes of the public and the regulators.
But the world of hospital IT network has further challenges:
- Many component vendors: HIMSS (the US-based Health Information and Management Systems Society, see HIMSS.org) once published a figure of about 200 suppliers for networked equipment in the average US hospital. So vendors of new components have to see how their device (security) fits into the existing landscape—dictating certain formats or protocols is not possible
- Hospitals just produce data—well, in the sense of reimbursement: Hospitals do not produce goods they can sell, instead what they can be reimbursed for, spins patiently in some permanent storage. All revenue depends on the availability of that data
- Sensitive, protected data (GDPR, HIPAA): Most of the data collected, stored and processed by the hospital computer systems is highly sensitive in the sense of applicable privacy legislation
As a result, any security legislation that needs to protect the needs of users, patients, professionals, better considers the procedures and methods that are already established best-practices in OT security.
Now with IEC 81001-5-1 and many members of the IEC 62443 family being published and considered state-of-the-art, we found that legislators mainly address the IoT/consumer protection goals and priorities. Perhaps it is time to join forces when explaining the importance of OT and the security needs in the domain of OT.