Industry Perspectives

PICC Your Battles: Securing Emergency Field Hospitals and Temporary Medical Spaces

As hospitals and emergency medical facilities scramble to expand patient capacity and testing spaces due to the COVID-19 pandemic, it is crucial that these organizations manage the information security risks that field hospitals and temporary medical spaces can introduce. These non-standard spaces, such as additional treatment facilities in triage tents or drive through testing centers, are exposed to both physical and cyber threats and pose their own unique set of risks. There is currently no governmental guidance or industry standard on how to best secure and manage cyber operations in these types of temporary facilities.

FireEye Mandiant has significant experience working with healthcare providers and has formulated an approach to help organizations analyze and tailor a plan of action to meet their own needs: Prepare, Isolate, Communicate, Command (PICC). This is neither a definitive framework nor a chronological process flow; instead, it is an easily digestible collection of controls and reference information to help organizations conceptualize and analyze their own approach to securing non-standard healthcare facilities. This collection of controls assumes the field hospital or temporary healthcare environment exists outside the confines of traditional hospital buildings or working spaces and is calculated for non-traditional risks and missing or sub-standard protections.


Prepare

Preparation has always been the cornerstone of cyber security; most of us spend our entire careers preparing for that one bad day that turns into a few bad months. While some organizations are already in the advanced stages of setting up field hospitals, the concepts noted here are still applicable and can be merged into existing processes. For those with the luxury of time, discussing and addressing these concepts now will enable execution of a purposeful, tailored plan when it is needed.

Master the Basics

Ensure the organization’s fundamental incident response documentation is in order.

  • At a minimum, a documented Incident Response Plan that has been socialized with core Cyber Security Incident Response Team (CSIRT) members is essential to effective incident management.
  • Playbooks are an indispensable tool to help guide analysts through effectively triaging an incident. Standard playbooks tailored to host, network, and medical device investigations will prove to be helpful. In particular, make sure playbooks are included to address:
    • Stolen equipment
    • Rogue device connected to the network
    • Compromised account
    • Mass password reset
  • If a hospital has shifted to operating under the Hospital Incident Command System (HICS) or has plans to do so, then guidelines should be drafted for how a CSIRT should operate within this structure since resource assignments and reporting structures are likely to change under HICS. Check out these resources to learn more about HICS
    • Within HICS, IT and IT Security often report to the Logistics Section under the Support Branch Director or similar titles. However, the individual occupying this role may not be savvy in capabilities, timelines, and requirements associated with deploying information technology effectively and in a secure manner. Consider identifying and briefing these individuals prior to the activation of HICS.
    • The hospital’s implementation of HICS may prescribe an operation and planning tempo for discussing tactics and hardships regarding the emergency. The CSIRT incident response process should align with the HICS planning tempo, so that CSIRT incidents can be communicated clearly to the HICS section leads.

Collect a full asset inventory of information technology assets and connected medical devices that will be deployed to the temporary medical space. This asset inventory should be used to:

  • Track accountability of devices and ownership responsibility
  • Ensure all device and security technology logs are aggregated and correlated in a Security Information and Event Management (SIEM) system
  • Prioritize or deconflict alerts
  • Report incidents or anomalies
  • Implement more comprehensive AntiVirus (AV) and Endpoint Detection and Response (EDR) policies or host protection/enforcement rules
  • Setup custom alerting groups or rules in the SIEM

Standardize configurations for deployable endpoints and back office equipment. This includes operating systems, installed software, and hardening efforts. Standard configurations optimize the CSIRT’s ability to isolate threats and replace compromised equipment quickly. Amidst standard configurations:

  • Consider software license limitations as additional workstations will need to be built to outfit the temporary work locations,
  • Design network architecture to balance the ability to isolate assets while easily moving and replacing equipment, and
  • Develop hardened “gold” images from which to build new assets quickly and securely.
    • If available, gold images deployed on thin clients or Virtual Desktop Images (VDI) provide identical function with a reduced local data footprint.
Start Fresh

Given the more open and insecure nature of field hospitals, and the fact that downtime for regular maintenance and upgrades may not always be feasible, it is important that devices be fully hardened prior to deployment.

  • Scan devices for vulnerabilities and patch to latest stable and tested versions prior to deployment, including all information assets, medical devices, and networking equipment.
  • Enforce full disk encryption on all deployed information assets.
  • Ensure default passwords on devices are changed. In the event of hardcoded passwords on medical devices, restrict access to the device, assess impact to patient care if the device is operated in fail-safe modes, and regularly monitor device activity for unauthorized use.
  • Ensure hosts are not deployed with cached administrator profiles or NTLM hashes.

Ensure mobile devices are managed by Mobile Device Management (MDM) solution enabled with device encryption and remote wipe capabilities.

Anticipate Disruption

Aggressively maintain backups and configurations for all systems. New and chaotic environments will require many adjustments to fine tune operations. Mistakes are inevitable, and a robust system of backups will help quickly recover from any operational mishaps. Mandiant has noted an uptick in ransomware attacks actively targeting the healthcare sector and up to date backups will help expedite recovery after a ransomware attack.

Prepare replacement devices for critical systems to limit disruption to operations. Devices in a field hospital are more prone to hardware failure due to environmental irregularities. Preparing standby devices will ensure quick recovery and increased availability. If replacement equipment is not already in inventory, investigate acquisition of the equipment as soon as possible to preempt supply shortages or logistical delays.

Have retainer agreements in place with vendors to provide specialized surge support. Information security resources are likely to be pulled into the HICS structure leaving some gaps in daily operational duties. In the event of a major incident or supplementary disaster, the remaining skeleton crew of personnel may encounter difficulties adequately managing incident response or disaster recovery efforts. On-demand retainer agreements will make it easy to scale capabilities to fit current needs.

Prepare a procedure for quickly validating user credentials and resetting passwords to prevent delays from triggering standard lockout policies or forgotten passwords. Consider leveraging the field hospital site manager or another well-known entity that the help desk can trust to provide on-scene user authentication and priority support. If possible, prepare a self-service portal for password resets. If using Microsoft Office 365, enabling password synchronization allows Office 365 to act as a self-service portal. Furthermore, consider a potential need to change all passwords for field hospital personnel and service accounts in case of a site compromise and plan for how to effectively accomplish the task without affecting patient care.

Isolate

The field hospital should be peripherally treated as its own external entity and untrusted network. While interconnections to the main hospital environment will be required, robust safeguards should be put in place to protect against unwanted activity.

Trust No One

The field hospital network should be separate network(s) with access controlled through various mechanisms (e.g. Firewalls, ACLs, VLANs) depending on the available equipment. This network segmentation will function as an additional layer of security and a choke point for monitoring and restricting lateral movement from the field hospital network.

  • All egress traffic from the field hospital network(s) regardless of destination including to the main hospital network or public internet should pass through a network security technology stack (e.g. Firewall, IDS/IPS, Proxy, CASB, etc.) that is consistent with the enterprise standard in place.
    • Note that running field hospital traffic through an on-premise proxy may require a finely tuned proxy setup with a separately configured Proxy Auto-Config (PAC) file. If available, using a cloud proxy can help to expedite the deployment and configuration of this proxy.
  • Ingress rules into the main hospital environment should be restricted to only permit network traffic that supports a business or operational need.
  • Separation of traffic into multiple purpose-built networks (e.g. Corporate, Guest, VoIP, Biomedical) is preferred.

If the organization is already setup to perform Network Access Control (NAC) with 802.1X, then extend this standard to the field hospital environment to add an additional layer of physical authentication security.

  • If devices are unable to support 802.1X, then MAC Authentication Bypass (MAB) can be used to pass the MAC address to the RADIUS server for authentication. This is useful for devices without a full OS such as printers and scanners, but note that this authentication method is vulnerable to MAC spoofing. By default, MAB will only support a single device per switchport. If the switch detects any additional MAC addresses, it will trigger a security violation.
  • If 802.1X is wholly unavailable or untested, then Port Security can be enabled on most Cisco switches with static and/or dynamic MAC address lists. Using port security is considered sub-optimal as it does not scale well, but it should suffice for a temporary field hospital environment. Be aware that this option will increase overall device management overhead.
  • If wireless is being used in the field hospital, care should be taken to secure how assets connect. Even simple controls such as hiding the SSID can help dissuade opportunistic attackers. For more mature network teams, identity-based network administration can streamline management and security of network access.
Harden Identity Management

Where possible, prioritize the use of cloud directory services for authentication and authorization of user identities.

  • If cloud directory services are unavailable, consider deploying a read only Domain Controller (DC) to the field hospital facility. Deployment of a local read only DC will help prevent network disruption from slowing medical support.
    • Any DC that is locally deployed should ideally be configured with a Trusted Platform Module (TPM), encrypted at the drive level, and be monitored for local logon.
    • Password replication for locally deployed DCs should be limited to field hospital staff only. In the event that the DC is compromised or stolen, this will limit the scope of compromised hashes.
    • More information on reducing the attack surface of directory services can be found on the Microsoft website.

Configure unique local administrator usernames and passwords for all field hospital systems. Compromised shared local administrator accounts can lead to an attacker accessing many additional resources from a single system compromise. Microsoft's Local Administrator Password Solution (LAPS) is one method to centralize the local administrator account management on these systems and help mitigate the risk. Check out the Microsoft website for more information on LAPS

Reduce the use of privileged service accounts in the field hospital environment. Windows service accounts often possess excessive privileges on par with local or domain administrators. Where possible, Group Managed Service Accounts should be leveraged instead. Check out the Microsoft website for more information.

  • Ensure service accounts are purpose built for specific tasks and not commonly used among disparate applications and systems.
  • Restrict service account permissions to minimal functional levels.
  • Document service account usage to deconflict alerts and traffic generated in the field hospital environment.
  • Document procedures, for each service account, on how to change its password.

Implement Multi-Factor Authentication (MFA) for all internet facing and critical internal services/hosts used by field hospital staff.

  • Ensure adequate tokens and provisioning instructions are available to support surge in field staffing.
  • Ensure alternate secondary authentication or recovery methods exist to preempt disruption due to failed or locked user tokens.

If the organization is currently using Office 365 or on-premise Exchange for mail, ensure that Basic (Legacy) Authentication protocols are disabled. Basic authentication can allow an attacker to bypass MFA enforcement and gain access using only a username and password.

Secure the Area

Physically securing information assets becomes a higher priority than is normally seen in the enterprise due to the more accessible and unpredictable nature of a field hospital environment.

  • Ensure onsite server and networking equipment is stored in a locked, and if possible, climate-controlled cabinet away from general user and patient population.
    • Access to equipment for change and maintenance should be logged and approved by the field hospital site manager. Site security should be kept aware of sensitive areas and equipment to monitor for potential tampering.
  • Wireless access points should be placed out of reach or similarly protected from physical access.
  • Ensure unused network interfaces are disabled, paying particular attention to networked devices without full OS protections such as VoIP phones, printers, etc.

Considerations should be made to protect against social engineering and passive reconnaissance methods. Aggressive screen timeouts should be enabled, and hardcopy media should be stored in locking shred bins prior to final disposal.

Configure Secure Networking

Wi-Fi can provide simplified network deployment with a reduced equipment and cabling footprint. However, precautions should be taken to reduce exposure and risk.

  • Wireless radio power should be tuned to broadcast signal to the perimeter of the field hospital area. Excessive signal transmission may expose the wireless network to unwanted or malicious actors in public spaces.
  • Avoid the use of WPA-PSK (Pre-Shared Key) authentication. PSK best practice requires rotation of keys after departure of personnel as knowledge of the key can be used to gain access after termination. A cracked PSK would put all hosts authenticated with the same key at risk.
    • Appropriate transit security should be used with Wi-Fi or Ethernet. Security guidelines for Wi-Fi are to implement WPA2-AES with EAP-TLS or better authentication protocols. EAPoL (EAP over LAN) is available for supported wired connections. Check out this website to learn more about the EAP-TLS standard.
  • If guest networks are extended to field hospital environments, ensure guest wireless access for patients and family is isolated from operational wireless networks. Guest access should be provided through a captive portal conducting individual authentication and tracking.
  • Ensure the wireless controller is not reachable from the wireless network. Wireless controllers should be managed from the wired network and access controlled to prevent unwanted access.
  • Ensure any unused or test networks are removed from the wireless controller prior to deployment.
  • If NAC is unavailable, develop a process to discover rogue access points and devices. This can commonly be accomplished with a Wireless IDS (WIDS). If a WIDS is unavailable, a SIEM rule can be used to correlate wireless controller authentication logs against an approved host list. 
Disable Services

Unnecessary services should be disabled to reduce the number of tools and techniques available for a potential attacker to leverage. While not an exhaustive list, possible key services to disable include:

  • USB Removable Media: An initial analysis should be performed to determine which systems, if any, require the use of USB in order to maintain continuity of operations. All other systems should have USB disabled to protect against malicious autoruns, .LNK files and other malware. Most recently the FBI released a flash briefing reporting that FIN7 (also referred to by some vendors as the Carbanak Group) used USBs flash drives mailed via The US Postal Service to infect target organizations.
    • Mounting of USB file systems can be disabled using a GPO to apply the administrative template Removable Storage Access -> All Removable Storage access: Deny All Access.
  • WDigest Authentication: While WDigest is disabled by default on Windows OS 8.1 and higher, it is still exploitable on many versions of Windows to obtain clear-text passwords stored in memory. Many older Windows 7 hosts and embedded OS medical devices may be susceptible to this type of password harvesting.
  • Windows Script Host (WSH): WSH is a native Microsoft automation technology that provides some rudimentary scripting functionality. Attackers often leverage WSH to execute malicious. VBS files found in weaponized phishing documents.
  • Link Local Multicast Name Resolution (LLMNR): LLMNR is a broadcast protocol based on DNS to perform name resolution without needing a DNS server. Having LLMNR enabled makes devices vulnerable to Man-in-the-Middle (MITM) and name resolution poisoning attacks.
  • NetBios Name Service (NBT-NS): Similar to LLMNR, NBT-NS identifies systems on a local network by their NetBIOS name. It can similarly function as an alternative to DNS. Both LLMNR and NBT-NS are subject to the same kinds of MITM and poisoning attacks.
  • SMBv1: SMBv1 is an extremely vulnerable network protocol often used for lateral movement. SMBv1 is most notorious for its widespread use in ransomware campaigns (e.g. WannaCry, NotPetya, TrickBot). If the organization has not yet disabled SMBv1, take time to determine which systems are still leveraging this protocol. More information about disabling SMBv1 can be found on the Microsoft website.
  • Host to Host Communication – There are several additional protocols and services that can be leveraged by attackers that are also commonly used to support operational needs. An environmental assessment should be performed prior to disabling or blocking these services in the field hospital environment (RDP, SSH, WinRM, PowerShell, RPC Endpoint Mapper, and Remote File Copy). Once an assessment has been performed, these services and protocols can easily be blocked between hosts using the native Windows host firewall.
    • If PowerShell is determined to be essential to the field hospital environment, ensure hosts are running PowerShell v5 or higher in order to obtain adequate logging.

Communicate

Effective communication during crisis scenarios is an often undervalued and unpracticed skill. While most medical organizations will likely have a crisis communication plan to reference in uncertain times, it is important to be aware of distinct points to prevent breakdowns or gaps in information channels.

Collaborate

During widespread events, Hospital Incident Command (HIC) will likely have established relations, situational reports, and information sharing within the community, local government, neighboring hospitals, and response agencies. It is important to ensure that information security communication discussions have started to share intelligence among these organizations to dynamically respond to changes in the local threat landscape as they arise. All information security communications to and from these organizations should be vetted and received through the HIC structure.

Similarly, irregularities and anomalies in field hospital environments discovered by the Security Operations Center (SOC) should be reported to HIC regardless of severity to ensure a complete understanding of the field hospital’s operational condition.

Educate

Disruptive situations can reduce morale and increase stress, leading to adverse behavior among patients, family, staff, and the general public. It is important keep personnel educated to look for signs of tampering, social engineering, or other malicious activities and report them immediately to the site manager for further investigation.

Ensure educational materials around both public health and HICS activation are available to all personnel. This will help personnel understand the business and safety rules required to support current operations.

Under HICS there will be a wide range of personnel from varying backgrounds and specializations. As security events arise, it will become essential to educate these personnel on the importance and impact of discovered incidents and their corresponding action plans.

Coordinate

Access to the field hospital information systems or infrastructure should be scheduled and recorded by HIC. A thorough record of the site visit with timestamp and purpose should be kept. The site manager and onsite security personnel should be informed of and approve the visit. All other discovered interaction with field hospital infrastructure or sensitive information systems should be deemed suspect and investigated.

If social media monitoring is not already in place, it may become prudent to start coordinating with corporate communications/public relations to collect data on public sentiment, rumors, and threats on public communication platforms as the crisis evolves.

Initial deployment of a field hospital will never be perfect. It is important to maintain ongoing conversation with end users and site managers to ensure requirements are continuously gathered and improved upon.

Command

Established and well-organized command structures are an important part of maintaining continuity of operations. Disorderly or erratic command channels can lead to decreased morale, inefficiency, turnover, and significant operational problems.

Unify Command

As information security resources get pulled into the HICS organizational structure, it is important that the concept of Unified Command is understood by all. Unified Command asserts that individuals assigned to the HICS organizational structure should not be expected to simultaneously perform their normal job duties in addition to the duties associated with their HICS position. This eliminates the potential for conflicting directives and increases efficiency and accountability. Pre-existing cyber security initiatives will likely have to be paused or cancelled until staffing can return to normal.

While not every resource can participate in the HICS command structure, it is important to develop a shared, detailed understanding of the situation within HICS. This allows the various departments and command structures to better understand how they can best apply their respective capabilities towards a common goal and measure success.

Document Everything

The rapidly shifting nature of emergency management and field hospital duties forces operational personnel to have robust documentation available to support changing requirements.

  • Detailed procedural documents will be needed to support cross training for 24/7 staffing models that may be required under HICS. These procedural documents can also be used to validate that steps are performed uniformly regardless of who performs them.
  • Network and Data Flow Diagrams will be useful for the SOC to determine legitimate traffic patterns and actions in an environment that is new and unfamiliar to them.
  • Changes to the network, infrastructure, or deployed assets should be recorded for use during investigations and troubleshooting. Unrecorded equipment deployment or routing changes can lead to gaps in visibility or processes.
Understand the Mission

The ultimate goal of applying cyber security knowledge to secure field hospitals is the preservation of human life. Recognition of this concept should guide the organization’s strategy in choosing which controls and processes listed in this document to implement. Preventing data loss, financial loss, or brand damage is secondary to ensuring the safety and well-being of the patients, family, and field hospital personnel. Never lose sight of the mission.

In Closing

While each organization will need significant time to fully contemplate their own unique circumstances, this collection of controls should help get a head start on quickly and efficiently securing field hospitals and temporary medical spaces. The chaotic and unpredictable circumstances we operate in can rapidly become unmanageable. The next time your organization is faced with a similar crisis, we hope you PICC your battles wisely.