If the HVAC shuts down in a healthcare facility due to a cyber attack, where do you turn? Who can help if the vendor who installed the HVAC was itself the victim of the same attacker?
Cyber attacks come from all directions and the strangest places sometimes. A children’s hospital in Boston recently learned that they had been hacked by a cyber thief who reached them through a third party HVAC vendor. The cyber thief managed to capture schematics and wiring diagrams of the hospital by breaking into the vendor’s systems and stealing customer data. Sensitive information like this might allow a criminal to shut down hospital alarm systems and tamper with HVAC settings.
Thankfully, the worst outcome didn’t happen this time, and systems were not shut down as far as we know.
An Intermediary Steps Up
The cyber thief apparently was unsuccessful at extorting money from the HVAC vendor, and claimed they were not interested in harming a children’s hospital, so they contacted a blogger at databreaches.net to alert the hospital of the breach. The cyber thief remained anonymous.
The vendor is ENE Systems in Canton, Massachusetts, a company that advertises that it helps businesses with their “complex building automation and security systems to provide a comfortable safe environment…” There are three hospital clients listed on their website: Boston Children’s Hospital, Brigham & Women’s Hospital, and Mass General Hospital, all part of Harvard.
The Databreaches.net blogger described the back and forth with the cyber thief and explained:
The understanding was that this site would be contacting the hospital to make sure that they knew they had been breached via remote access from the vendor so that if the vendor had not informed them of the breach, they could take steps to protect themselves from other attacks.
The blogger alerted a Boston area healthcare security professional asking that they in turn notify Boston Children’s Hospital about the breach, and provided proof – screenshots of the schematics and wiring diagrams. The databreaches.net blogger chose not to publish any of the schematics because they could not evaluate the risks to the hospital of doing so.
The Internet of Things Carries Security Risks
Modern life is so much more convenient with the internet able to connect workstations to security systems, HVAC systems, and our phones. But all that data travels over the internet which makes it vulnerable to cyber crime.
The risks are severe in healthcare, with patients relying on electricity and smoothly operating HVAC at the right temperature and pressure in patient rooms, the ER and surgery. Hacked systems could lead to injury or even death.
It is critical for organizations today to evaluate security with all of their third party vendors. When a covered entity’s vendor is a business associate, HIPAA rules automatically apply. The covered entity should have a business associate agreement in place, and should conduct due diligence to ask questions about the vendor’s commitment to HIPAA. HIPAA Risk Management requires both.
An HVAC vendor is likely not a business associate. Still, their commitment to security is critically important to all organizations, but especially in healthcare. The best way to minimize the risks is to have a strong third party risk management program.
Attacks on vendors easily lead to breach and security problems for their customers. So all vendors should be challenged to prove their commitment to defending against and preventing cyber crime.