Alleged HVAC Hack Shines Spotlight on OT Risks to Healthcare

ENE Systems hack said to affect 3 Boston Hospitals

A hacking incident that reportedly targeted a Massachusetts-based ENE Systems that provides HVAC systems to several Boston-area hospitals and others shines a spotlight on the growing cybersecurity risks involving IoT devices and OT equipment.

Call to Action

Perhaps the most high-profile incident involving an HVAC hack was the 2013 Target breach. It resulted in 41 million customers’ payment card details being compromised and contact information for more than 60 million customers being exposed. In that incident, investigators say attackers accessed Target’s gateway server through credentials stolen from a third-party HVAC vendor.

But in healthcare, the risks posed by IoT and OT hacks are potentially more dangerous. The impacts aren’t just slowed processes or hot rooms but may result directly in injury or death to a patient. Healthcare is 24/7, and facilities must maintain temperature, pressurization, humidity, lighting, life safety, and security.

Failures of the OT devices that control these functions, as well as many others, will have impacts on patient care. Therefore, it is critical that hospitals take measures to secure their OT devices to prevent them from becoming compromised or rendered unusable during a cyberattack.

As industrial systems become more connected, they become more exposed to vulnerabilities, threats, and attacks and potentially still have access to the rest of the production network.

Third-Party Risk

The alleged incident involving ENE Systems and the variety of other supply chain incidents seen over the last year also highlight the importance of organizations developing and implementing a third-party risk management program in order to properly assess and verify the security postures of vendors.

Organizations need to incorporate business partner risks into purchasing decisions and contract renewals. Be open to evaluating other options if the information security risk is untenable. This should include ensuring that contract language is specific in business partner agreements, spelling out who is responsible for what in terms of security, security SLAs and other minimum security requirements.

‘Zero Trust’

This incident also illustrates the need to design network and security architectures with the mindset that any device has the potential to be compromised at any time. No system can ever be made 100% secure. Eventually, a system will be compromised. Taking a “zero trust” approach to security, whereby no system on a network is considered trusted, and communications between systems is only possible where explicitly needed. A compromised HVAC controller should not readily allow an attacker to access the EHR or other critical systems and a zero-trust approach helps to ensure this.

Managing All Devices

A comprehensive security strategy must encompass all managed, unmanaged, or industrial IoT devices in the enterprise — from the bedside to the executive suite. In an interconnected environment, you can’t secure OT until you secure IT. The security platform should work for all industrial control systems and other kinds of devices common to the enterprise, such as HVAC systems, IP security cameras, fire alarm systems, building access management systems, switches, firewalls, wireless access points, printers, and more.

As we move to a more connected environment, the risk to all organizations also increases. If you have questions about your IT security, call ITPAC today.