OR Manager - April 2020 - 14

Safety/Quality
Continued from page 13
other new strategy. Attackers take over
the devices connected to the network,
holding the devices and data hostage
through encryption.
" Since only the attackers know the
decryption key, they demand the healthcare
system pay a certain ransom before
they will decrypt the data and allow
the hospital to resume normal operation, "
Patel says.
Email phishing campaigns have also
picked up steam in recent years. In an
example scenario, " a hospital administrator
receives a specially crafted malicious
email with links to a malicious
page/script that can then be used to
scour important information like an administrator's
login credentials or other
important data, " Patel says.
Crooks can impersonate third-party
emails, posing as a vendor or business
partner looking for a wire transfer or
to change an accounting number for a
payment. Such breaches can cost hundreds
of thousands of dollars at a time.
" The FBI has been investigating these
cases due to their increasing frequency
and impact, " says Levy.
What are the vulnerabilities in
your OR?
To date, there haven't been many reports
of targeted attacks on ORs. Vulnerabilities
do exist, however, Patel
cautions. " Sooner or later, they will be
leveraged for malicious purposes, " he
predicts.
OR-specific vulnerabilities typically
depend on the type of connected device
and whether the OR network has a separate
firewall. Devices such as legacy
infusion pumps, which rely on add-in
connectors for connectivity, " have had
a major chunk of vulnerabilities discovered
in them, " Patel says.
Problems can occur when a device
suddenly malfunctions, risking patient
safety, says Lerman. Many OR technologies
are very basic and weren't built
14
OR Manager | April 2020
with cybersecurity in mind. Unlike the
systems installed on laptops, " most of
these devices aren't protected by traditional
security controls, such as antivirus
software, " making them vulnerable
to cyberattacks, he says.
The da Vinci surgical system, for
example, which involves the use of a
remote precision instrument, may not
have an authenticated connection to
the OR. Lerman says he has seen
cases in which hackers gain unauthorized
access to this instrument. " This
allows them to remotely move the blade
of the robot. "
Motivations for causing harm during
a procedure may vary-the hacker may
view this as a challenge or " power trip, "
or may want to take the robot hostage
to claim ransom for financial gain.
Terrorism-causing deliberate harm
to a patient-may be another reason.
" Hospitals depend on those devices
to provide patient care, and they'll be
willing to pay a lot of money [to avoid
harm], " Lerman says.
Anesthesia machines in the OR are
another vulnerable hot spot, he adds.
In one facility, a device underwent a
Windows update and rebooted during a
procedure. As a result, the patient woke
up in the middle of the procedure. " The
machine stopped working, and they had
to restart the procedure, " Lerman says.
Although this involved a configuration
incident rather than an outside threat,
it exemplifies a weakness in the system
that presents an opportunity for a
hacker. " The IT staff of this particular
hospital weren't on top of things. During
procedures, you want to make sure that
no automatic updates take place. Hospital
managers should be asking IT staff
these types of questions: When do the
updates take place? Are they connected
to the internet? Is the antivirus software
getting any updates? " he says.
Music is often played during surgical
procedures, and even music could
increase vulnerability to an attack, Levy
notes. If the device playing the music
A cybersecurity
checklist for OR
managers
Sagar Patel, a research scientist
and software engineer at Battelle
Memorial Institute, headquartered in
Columbus, Ohio, says OR managers
can consult with hospital information
technology (IT) staff to ensure
security in several ways:
➤separation of networking from the
regular hospital network
➤additional firewalls between the
OR network and hospital network
so that if the hospital network is
breached, the OR network won't
be impacted
➤access control/authentication for
healthcare providers who interact
with OR equipment
➤a Network Intrusion Detection
and Prevention System to protect
against denial of service attacks
➤education to make healthcare
providers aware of typical
cybersecurity attack symptoms
and the need to report suspicious
device behavior
➤collaboration with medical
device manufacturers whose
devices reside in the OR to
ensure updates and alerts
for vulnerabilities reported in
the devices as well as regular
patching for devices with software
update capabilities.
is on the same network as an infusion
pump or other critical medical device,
that introduces more risk into the system.
In these cases, it's important to
have a separate network for such devices,
he says.
Be proactive
Historically, facilities have viewed cybersecurity
as more of a technical than a
www.ormanager.com
http://www.ormanager.com
OR Manager - April 2020

Table of Contents for the Digital Edition of OR Manager - April 2020
