Assessing the Risk of Healthcare Facilities to Industrial Control System Cyber Vulnerabilities
Publication: ASCE Inspire 2023
ABSTRACT
Vulnerabilities in healthcare equipment and medical facility infrastructure (mechanical, electrical, plumbing, and control systems) provide an opportunity for loss of business operations and possibly a severe impact to patient care activities. Upon a review of the published literature, cybersecurity vulnerabilities appear to be a secondary concern to facility managers, engineering design professionals, and contractors. This is likely due to siloed approaches amongst multiple stakeholders during the design, construction, and operation of healthcare facilities. This paper will utilize a mixed-methods approach to analyze quantitative survey results and qualitative interviews focused on medical facility infrastructure systems and will present feedback from a group of design professionals, contractors, and healthcare facility owners/operators. In turn, we aim to inform stakeholders regarding best practices used across industry to harden control systems in healthcare facilities.
Get full access to this article
View all available purchase options and get full access to this chapter.
REFERENCES
Adepu, S., Kandasamy, N. K., Zhou, J., and Mathur, A. (2020). Attacks on smart grid: Power supply interruption and malicious power generation. International Journal of Information Security, 19(2), 189–211. https://doi.org/10.1007/s10207-019-00452-z.
Al-Atawi, A. A., Khan, F., and Kim, C. G. (2022). Application and Challenges of IoT Healthcare System in COVID-19. Sensors, 22(19), 7304. https://doi.org/10.3390/s22197304.
Alzahrani, F. A., Ahmad, M., and Ansari, M. T. J. (2022). Towards Design and Development of Security Assessment Framework for Internet of Medical Things. Applied Sciences, 12(16), 8148. https://doi.org/10.3390/app12168148.
Chiaradonna, S., Jevtic, P., and Lanchier, N. (n.d.). Framework for Cyber Risk Loss Distribution of Hospital Infrastructure: Bond Percolation on Mixed Random Graphs Approach.
CISA. (2023a). “Critical Infrastructure Sectors.” <https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors>(May 2, 2023).
CISA. (2023b). “Cybersecurity Alerts & Advisories.” <https://www.cisa.gov/news-events/cybersecurity-advisories>(May 3, 2023).
CISA. (2022). “Control System Defense: Know the Enemy.” <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-265a>(May 4, 2023).
Demertzi, V., Demertzis, S., and Demertzis, K. (2023). An Overview of Cyber Threats, Attacks and Countermeasures on the Primary Domains of Smart Cities. Applied Sciences, 13(2), 790. https://doi.org/10.3390/app13020790.
Hasan, M. K., Ghazal, T. M., Saeed, R. A., Pandey, B., Gohel, H., Eshmawi, A. A., Abdel‐Khalek, S., and Alkhassawneh, H. M. (2022). A review on security threats, vulnerabilities, and counter measures of 5G enabled Internet‐of‐Medical‐Things. IET Communications, 16(5), 421–432. https://doi.org/10.1049/cmu2.12301.
Hassanzadeh, A., Rasekh, A., Galelli, S., Aghashahi, M., Taormina, R., Ostfeld, A., and Banks, M. K. (2020). A Review of Cybersecurity Incidents in the Water Sector. Journal of Environmental Engineering, 146(5), 03120003. https://doi.org/10.1061/(ASCE)EE.1943-7870.0001686.
Joint Task Force Transformation Initiative. (2018). Risk management framework for information systems and organizations: A system life cycle approach for security and privacy (; p. NIST SP 800-37r2). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-37r2.
Koch, T., Ap, L., Brearley, D., Choma, K., Redwood, O., and Alli, N. (2023). Best Practices Framework for Health Care Cyber Protection of MEP Systems.
López Martínez, A., Gil Pérez, M., and Ruiz-Martínez, A. (2023). A Comprehensive Review of the State-of-the-Art on Security and Privacy Issues in Healthcare. ACM Computing Surveys, 55(12), 1–38. https://doi.org/10.1145/3571156.
Lu, T., Guo, X., Li, Y., Peng, Y., Zhang, X., Xie, F., and Gao, Y. (2014). Cyberphysical Security for Industrial Control Systems Based on Wireless Sensor Networks. International Journal of Distributed Sensor Networks, 10(6), 438350. https://doi.org/10.1155/2014/438350.
Malamas, V., Chantzis, F., Dasaklis, T. K., Stergiopoulos, G., Kotzanikolaou, P., and Douligeris, C. (2021). Risk Assessment Methodologies for the Internet of Medical Things: A Survey and Comparative Appraisal. IEEE Access, 9, 40049–40075. https://doi.org/10.1109/ACCESS.2021.3064682.
Reed, T. (2023, June 16). Hospitals could be one cyberattack away from closure. Axios.com. Retrieved June 23, 2023, from https://www.axios.com/2023/06/16/hospitals-cyberattack-away-closure.
Stouffer, K., Pease, M., Tang, C., Zimmerman, T., Pillitteri, V., and Lightman, S. (2022). Guide to Operational Technology (OT) Security: Initial Public Draft [Preprint]. https://doi.org/10.6028/NIST.SP.800-82r3.ipd.
Ten, C.-W., Manimaran, G., and Liu, C.-C. (2010). Cybersecurity for Critical Infrastructures: Attack and Defense Modeling. IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans, 40(4), 853–865. https://doi.org/10.1109/TSMCA.2010.2048028.
Thamilarasu, G., Odesile, A., and Hoang, A. (2020). An Intrusion Detection System for Internet of Medical Things. IEEE Access, 8, 181560–181576. https://doi.org/10.1109/ACCESS.2020.3026260.
Yaqoob, T., Abbas, H., and Atiquzzaman, M. (2019). Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices—A Review. IEEE Communications Surveys & Tutorials, 21(4), 3723–3768. https://doi.org/10.1109/COMST.2019.2914094.
Information & Authors
Information
Published In
ASCE Inspire 2023
Pages: 250 - 257
History
Published online: Nov 14, 2023
ASCE Technical Topics:
- Architect/Engineers
- Architectural engineering
- Building systems
- Buildings
- Business management
- Control systems
- Electrical equipment
- Electrical systems
- Engineering fundamentals
- Equipment and machinery
- Facilities (by type)
- Health care facilities
- Industrial facilities
- Infrastructure
- Infrastructure vulnerability
- Occupational safety
- Personnel (type)
- Personnel management
- Practice and Profession
- Public administration
- Public health and safety
- Safety
- Structural engineering
- Structures (by type)
- Systems engineering
- Systems management
Authors
Metrics & Citations
Metrics
Citations
Download citation
If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.