Intrusion of the Data Snatchers

Sept. 23, 2019
Do automated drug, supply cabinets offer online passage into your IT network?

Back in the late 1980s, several companies rolled out a new wrinkle in the drug and supply storage panoply: Automated drug and supply cabinets/units. At the time they designed these enclosed pieces of dispensing equipment largely to prevent product theft.

In the ensuing years, more companies jumped into the market segment as the primary function of these units expanded beyond preventing theft to include preventing waste and improving inventory tracking. Along the way, one company branched out and deconstructed the original concept, shifting from “closed” access (where you required some type of security measure to open the doors or drawers) to “open” access shelving initially equipped with a button to push once a product was removed, returned or restocked.

Since then, amid mergers and acquisitions, design and technological developments, the manufacturers of these closed- and open-access automated supply units not only have made these pieces of equipment more visually appealing and stylish, but also expanded their justification and utility via linkages to a variety of healthcare information technology systems, including enterprise resource planning (ERP) modules and electronic health/medical records. They’ve also extended their functionality into specialty care areas, such as the cardiac catheterization laboratory, endoscopy, interventional radiology and orthopedics, among others. In short, they’ve transitioned these units closer to a retail model that incorporates bar-code and radiofrequency identification (RFID) capabilities for track-and-trace functionality with a wired or wireless data pipeline throughout an organization.

Unfortunately, such technological advancements open a portal to one of the primary IT challenges of the times: Cybersecurity.

If human hackers and hacking software programs electronically commandeer anything that is connected to an IT system and the internet, including intravenous pumps and patient monitoring devices, they most likely can find their way into these electronic storage units. At least, that’s what all the spy-oriented movies and television shows posit on screen.

If hospitals and other healthcare facilities aren’t asking about the security of these units already, they will and should be doing it.

To learn how secure these hardware- and software-equipped storage units are in the era of cyber incursions and how providers can protect themselves and their patients from illegal and unwanted electronic intrusions that breach privacy and security concerns, Healthcare Purchasing News reached out to senior-level executives at some of the leading suppliers of automated drug and supply storage cabinets.

Machine vs. man

The electronic hardware and software in automated drug and supply cabinets offer a wealth of data on consumption and replenishment patterns and behaviors that if integrated throughout a hospitals information technology network can feed into myriad systems, including electronic health/medical records, billing, scheduling and supply chain. But can these units actually thwart a human- or software-directed “bot” from intruding and meandering unwanted around the network?

Senior executives from three manufacturers say yes.

“Our electronic storage systems are situated behind a hierarchy of security devices, including traditional firewalls, denial-of-service mitigation appliances, and application firewalls that screen for, filter, and alert our technical staff of suspicious activity,” said Thad Mac Krell, CEO, PAR Excellence Systems Inc. Our [Internet of Things] devices and controlling firmware do not store sensitive information but rather encrypt and transmit limited telemetry to our cloud platform over an authenticated channel, where it remains encrypted at rest and protected from external access.

Two other manufacturers talked about the hardening of their operating systems.

“BD’s automated dispensing system, such as the BD Pyxis MedStation ES automated medication dispensing system, runs a hardened operating system that is routinely patched and provides an on-board antimalware solution to protect against malware attacks,” noted Rob Suárez, Vice President and Chief Information Security Officer, BD. “The systems can take advantage of Single Sign-On platforms through Active Directory integration and Lightweight Directory Access Protocol (LDAP) integration support. At the cabinet level, device access is protected through two-factor authentication using biometrics and passcodes. Network connectivity, if done wirelessly, can be protected with encryption (such as, EAP, PEAP, AES, and TKIP). The cabinet hardware itself is designed with tamper proof drawers and will alert a Pyxis administrator if a bypass is detected. All Pyxis MedStations and Pyxis ES Servers are protected with antimalware software, which is routinely updated and is remotely monitored by BD Server technical support.”

Omnicell uses a layered security approach for its automated dispensing systems, according to Max Safai, Chief Development Officer, Omnicell Global Engineering.

These are security hardened kiosk systems — similar to ATMs — which differ significantly from general purpose workstations in that they present a limited interface to allow users to perform a restricted set of tasks, while restricting access to the underlying system and file system, Safai explained. “This design also prevents typical cyberattack vectors such as malware infection via browsing the internet or opening email attachments. In addition, Omnicell also security-hardens these systems at the Operating System level by installing only features/applications required for operation of the system and blocking unused network ports, protocols and services, thus thwarting network-based attack vectors.”

Omnicell also encases the units to prevent device insertions. “At the hardware level, these systems do not have exposed ports such as USB to prevent unauthorized installation of software or malware,” Safai continued. “This design has proven to be very effective and we’ve seen cases where other hospital systems were infected by Ransomware, yet the Omnicell Automated Dispensing Systems successfully withstood those attacks and were not infected.”

Closing the door

Short of firewalls and other security software measures built into the system framework, provider end users can and should implement their own protocols to model and reinforce human behaviors.

“Training and awareness are needed, not just for hospital IT, but also for clinicians to improve medical technology security,” insisted BD’s Suárez. “In addition, clinics and hospitals have been known to segment medical technology from other hospital IT systems, as an additional precaution. Further, requiring two-key cabinet access is another security measure that has proven to be effective. In any event, clinics and hospitals need to employ constant vigilance and situational awareness by clinicians to spot what could be the compromise of a system or data, know how issues are to be reported, and ensure preparations are in place to respond immediately in a manner that minimizes the disruption to patient care.”

Omnicell employs a “risk-based approach using NIST’s Risk Management Framework to security-harden” automated drug and supply cabinets, according to Safai. NIST stands for the National Institute of Standards and Technology (https://www.nist.gov/), a federal agency in the Department of Commerce that explores innovation, sets standards of practice and shares technological developments.

As part of “Data At Rest” protection, Safai said, “the hard drive of these systems is in a locked enclosure and is not accessible. In addition, the disk is encrypted on these cabinets. Omnicell XT automated dispensing systems use TPM (Trusted Platform Module) chips on the motherboard to store encryption keys. So in the event a disk is misplaced/stolen/removed from the cabinet, that disk becomes unusable (i.e., data cannot be read). Data in transit is encrypted end-to-end to prevent ‘Man In The Middle’ attacks. Omnicell provides several roles and privileges to assign users only to specific role or to a specific unit or area. Omnicell extensively logs all access and customers can run periodic reports to review user access. And as mentioned previously, the kiosk system with touch screen user interface ensures no access to desktop or Operating System components, as well as the file system.”

Meanwhile, PAR Excellence takes something of an arm’s length-lone wolf approach.

“Our storage cabinets and enclosure hardware operate on isolated networks and require users to authenticate using personal identification numbers and keycards encoded with unique credentials before physical access is granted,” Mac Krell noted. “Electronic access controls can be completely disabled without compromising function. Like our other IoT devices, these units do not store sensitive data.”

Mac Krell cites his company’s latest product offering as a classic example. “Whether installed in our controlled-access cabinets or simply on the wall or shelf, PAR’s suture scales are our next-generation product and they transmit and store information outside of the hospital network,” he said. “This new offering uses state-of-the-art encryption technologies to ensure security of information in transit and while at rest. These were responsibilities of the hospital network/IT staff in previous versions of PAR products.”

Negotiating room

With the onset of cybersecurity threats from hacking and other unwanted intrusions, healthcare organizations increasingly are working cybersecurity protection demands into their contracts with product and purchased service suppliers. All three senior-level executives recognize the momentum.

“Cybersecurity is increasingly becoming a discussion topic during our sales process,” indicated Omnicell’s Safai. “Many of our larger customers or IDNs have a dedicated ISA (Information Security Agreement and Interconnection Security Agreement) section included in the contracting process. Many customers also routinely send questionnaires which not only require documentation of product security, but also details about cybersecurity hygiene, how the company handles Security Awareness training and proof of cybersecurity insurance. Omnicell has a record of meeting the highest cybersecurity requirements from our Federal customers such as Department of Defense. It is interesting and encouraging to see other organizations incorporating cybersecurity requirements in their contracting process.”

PAR Excellence tries to make it easier for its customers, according to Mac Krell.

“Provider customers are invariably and increasingly interested in our security competencies and commitment to safeguard their data,” he said. “Security policies established by our provider customers can be excerpted and incorporated into our contractual obligations. This response addresses provider concerns and complements our rigid standards for data privacy and protection.”

BD recognizes the “uniqueness” of each customer’s security needs, Suárez noted.

“We strive for cybersecurity by design, in use, and through partnership with our customers, cybersecurity researchers, and regulators,” he said. “This approach allows us to ensure that we develop secure products, identify present risks, communicate with our customers in a timely manner about new risks as they are identified, and provide remediation guidance through what is called Coordinated Vulnerability Disclosures (CVDs).

“A customer’s security needs are unique and can be based on a variety of different factors including facility size, how well integrated the IT infrastructure is throughout the health system, EMR provider, how medical devices ‘interact’ with one another, to name a few,” Suárez continued. “An example of a specific customer need from an infusion perspective is simply looking for opportunity to simplify and reduce the number of interactions with the device when authenticating users as well as leverage multifactor authentication to avoid cumbersome passwords. As part of the purchasing decision, customers are increasingly asking for these types of capabilities from medical technology vendors and the products themselves.”