Data security concerns should not overcome RTLS allure yet
When Healthcare Purchasing News learned that certain types of bar-code technology could be tampered with, courtesy of their programming, the revelation brought to mind earlier reports of biometric imaging capabilities encountering its own security issues, despite expectations that they were effective in protecting data and information access.
HPN almost immediately wondered if — or how — asset tracking platforms and technologies that don’t require “line-of-sight” aiming and beaming might fare against clever and industrious computer coders and programmers with this prospective challenge in their crosshairs. Could real-time location system (RTLS) modalities and platforms be targeted?
Peter Ginkel, P.E., Vice President, ID Integration Inc., the company that brought the challenges of 2-D bar coding to light, differentiated concerns about asset location systems and bar coding issues and urged caution.
“Asset Locating systems are a closed environment with a limited data set and a minimal number of characters encoded,” Ginkel told HPN. “We have not seen any possibility for these systems to become compromised if even a modicum of precautions is taken. The malicious barcode issue, however, is quite real and potentially destructive in that it is so easy to encode malicious commands into a code.”
The moral of the story, according to sources, is that while these techniques and technologies may provide more protection and security than, say, doing or using nothing at all, they certainly weren’t completely safe and secure or “hack-proof.” Realistically, they acknowledged, nothing is — at least for long.
But comparing the effectiveness of online or electronic safety and security protocols and technologies to, say, an annual flu shot, may be unrealistic at least and unfair at most.
Healthcare providers and suppliers have known for years that wireless signal transmissions between devices, equipment and systems can be interrupted, which motivated the development and implementation of a variety of protocols to better manage the plethora of electronic technologies on the market against the backdrop of healthcare information privacy rules.
Consequently, HPN Senior Editor Rick Dana Barlow reached out to a group of RTLS suppliers to gauge the security measures of the various platforms — not to stoke doubts and fears about RTLS but to explore the possibilities and ignite initial ideation on protective measures.
HPN: We’ve heard of “free-form” 2-D bar-coding symbologies that can enable increased risk of malicious PC attacks via embedded PC system commands, leading us to wonder how the threat of cyberattacks/hacking/malicious coding may migrate to RTLS modalities and platforms. How vulnerable are RTLS systems to cyberattacks, hacking or malicious coding that can breach firewalls and computer security to affect device performance and tracking?
Sagi Geva, Director, Acute Care Solutions,STANLEY Healthcare, Waltham, MA
“RTLS systems consist of two components: The software components that manage the system (engine, database, software) and the infrastructure components. For on-premises installations, the software components are really no different from any other system inside the hospital. They, of course, require robust protection with firewalls, encryption, authentication, regular OS updates, etc., but no special measures. Naturally, hospitals must ensure that their RTLS vendor is capable of quickly updating their software to stay current with the latest OS and all security patches and enhancements.
“For cloud/hosted solutions, it is very important to know what security is being provided. We work with companies like Microsoft and Amazon, which are leaders in cybersecurity and quick to address any threats.
“The infrastructure components are a more unique aspect of RTLS. RTLS tags communicate wirelessly to a reader, so the security of that communication and the devices is essential. We take a number of steps in this area:
- We keep our hardware as simple as possible. The majority of our tags use uni-directional beaconing, which doesn’t require them to authenticate with the network; in other words, they don’t have direct network access. Our newer generation of tags, which can be bi-directional for configuration and firmware updates, utilize the latest enterprise Wi-Fi security protocols, which can be field-updated as needed.
- We regularly update our solutions to address known vulnerabilities like man-in-the-middle attacks, replay protection, etc.
- We have cybersecurity experts who conduct regular audits of our solutions. We are prepared to address and respond to vulnerabilities as they pop-up (just recently, Spectre and Meltdown, as an example).”
“The threat of cyberattacks in healthcare has never been more prevalent and is a major concern of every organization looking to establish an RTLS entry point into their network and systems. Versus understands the necessity of security controls at both the hardware and application level and makes particular effort to ensure security controls are enabled to deter malicious intrusion. For hardware, the Versus RTLS network is a closed system and restricts the transmission of any code-based intrusion. In addition, only registered hardware components are authorized to communicate with the Versus platform. The approach prevents malicious piggybacking of the Versus RTLS sensory network as an organizational network entry point and restricts any data location hoaxes to be inserted.
“Ensuring security controls are established at the software application layer is just as important. Versus takes particular attention to safeguard the use of software components, ensuring they are only accessible to authorized users. In addition, programming of controls that restrict malicious events are not allowed, such as SQL injection. Finally, data transmissions between Versus applications are securely encrypted preventing exposure to sensitive data.”
Chris Sullivan, Global Healthcare Practice Lead,Zebra Technologies, Lincolnshire, IL
“As the threat of cyberattacks/hacking/malicious coding continues to grow it’s important for hospitals to remain vigilant. RTLS systems are an extension to or part of the hospital’s own network and should be treated as such. RTLS system security, threats and vulnerabilities should be assessed following industry best-practices and protected. Different RTLS modalities have different feature/function sets and thus security should be accessed on a modality-by-modality basis. Each system should be evaluated based on risk and security level. What data does the solution create, how is data moved, where does data reside, how does data get converted into information, what type of information is created, are there regulatory requirements for handling the data/information, and what happens if the data is compromised, all factor into assessing the risk to the business. Honest risk assessment is one means of helping a hospital determine the appropriate level of security to employ.
“RTLS modalities each differ in how they create, store, move and convert data into information. Passive and active beacon technologies that do little more than broadcast their own ID and possibly other data about themselves (e.g., MAC ID, serial number, temperature, battery power, etc.) are inherently secure. While these sensors could be intercepted they are not connected to the network and do not carry sensitive data. The RTLS system components that are connected to the hospital’s network and/or handle sensitive information should employ appropriate security methods and technologies including, user authentication, encryption, rotating passwords and keys, system firewalls and other security best practices. Hospitals should be proactive in setting security requirements that force RTLS systems to employ a level of security that is as strong or stronger than the hospital network they are connecting to.”
“From an RF standpoint, Encompass uses commercial Bluetooth low energy and Wi-Fi technologies. Once configured, the active [Bluetooth Low Energy] BLE beacons simply broadcast their ID and a few operating parameters, such as battery life. They are not physically or virtually connected to the hospital’s network. While one could intercept the data transmission from a BLE beacon there is no meaningful information to exploit.”
Charity Carney, Vice President, Software Development and Security,
Champion Healthcare Technologies, Lake Zurich, IL
“Nearly every system on the planet carries some degree of risk or vulnerability of exposure. RTLS systems are no exception to this, but depending on their architecture and content [they] may vary in allure to cybercriminals. A key strategy to minimizing or eliminating risk from an RTLS vulnerability is to build infrastructure and arrange firewalls or boundaries effectively. Protecting points of connectivity between systems is critically important. Additionally, certain tactics can be used to negate the value of a successful hack through RTLS/RFID. The less useful information that could be gained through a successful hack, the less likely that hackers will identify you as a target.”
Sandy Murti, Senior Director, Industry Solutions & Business Development, Impinj Inc., Seattle
“Unlike many other RTLS technologies, Impinj’s RAIN RFID uses a passive RFID tag/reader that limits the distance the tag can be read. This means that proximity and geo fencing can be tightly defined. Also, Impinj’s RAIN RFID can operate without connecting to the internet, external network or third-party systems. All the connections occur between the Impinj gateway readers and Impinj ItemSense software.
“Signal proximity and closed system design help limit Impinj RAIN RFID tags and readers from hacking risks. Impinj doesn’t depend on the internet or third-party servers to operate.”
What are some of the warning signs for which providers should watch that their RTLS systems may be vulnerable to cyber attacks, hacking or malicious coding?
GEVA: “An attack via an RTLS system is so far only theoretical — it has never occurred. This is not to say that it couldn’t, but we put or effort into proactive measures. We encourage our customers to bring their concerns to us so we can work on them together and close any possible gap before it can be exploited.”
JACKSON: “There are two primary indicators organizations can observe that may indicate a malicious intrusion attempt in relation to their RTLS system: performance, data accuracy.
“First, a hacking event at the entry point of the locating device may introduce a flooding of messages to ascertain a potential weakness in the RTLS. With Versus RTLS, such messages are filtered from penetrating to the application layer and do not expose any fragility in the system to the hacker. However, the volume of traffic would be traceable to help determine a potential cyberthreat has occurred.
“Second is the accuracy of the data maintained in a system. While Versus maintains security access controls to software components, local security policies govern authorization to software applications. If the healthcare organization’s centralized user access is violated, the accuracy of data maintained by the RTLS may be compromised. In such an unlikely event, Versus provides audit-visibility of access to the software components. This provides full traceability of when the system was hacked and who may have accessed the system and related data.”
SULLIVAN: “This is specific to the RTLS modality(or modalities) being used. Regardless, the key here is to be proactive in both monitoring and protecting the network, data and information. The integrity of the network — wired, wireless, or in the cloud — should be monitored for unusual activity or performance that could indicate attacks or problems. A very powerful system monitors and builds a database of ‘normal’ performance and operating parameters. This history can then be used to learn over time, enhancing the ability to quickly identify attacks and threats. Furthermore, this data can be used for offline forensic analysis as well as triggering automated protection systems. A good example of this technology is today’s wireless intrusion protection systems that monitor and protect the network via constant analysis of the RF spectrum.
“Another potential indicator of attack is disruption of the RTLS system. A thorough RF Spectrum analysis as part of the RTLS system design and deployment can also serve as a baseline for comparison against disruption in the future. If the RTLS system is suddenly suffering performance or operational challenges without being updated or changed recently it’s always a good idea to determine the root cause of the disruption and whether it could be the result of an attack.”
CARNEY: “Above all, vendors without the proper processes and policies in place are a major warning that a vulnerability is lurking somewhere in the future. Carefully vet any potential vendor partners before integrating with an RTLS or other system. Once integrated, red flags could include unusual traffic, unrecognized changes to the system, anomalies in capacity or bandwidth patterns and the appearance of unexpected data. Also observing requests coming from unusual or unknown sources can be a warning sign as well.”
CANNELL: “Different RTLS modalities have different feature/function sets, and thus security should be assessed on a modality-by-modality basis. It is important to constantly monitor and assess the RF environment for vulnerabilities and threats. Any vulnerabilities should be addressed as quickly as possible. It is also recommended that the individual hospital’s wireless networking team monitor the RF Spectrum and Wi-Fi network using an intrusion detection system, or better still, a proactive wireless intrusion protection solution (WIPS). A WIPS system will monitor the wireless system and proactively address threats including potentially black-listing devices, ‘jamming’ threats, and denying access to the network. There are various levels of security offered by these systems, and the best network has a level of security and protection commensurate with the importance of the data flowing across the network.”
MURTI: “In general, the key elements of any security review should consist of a review of the customer’s network policy and firewall architecture, the customer‘s operating environment, back-end processes and software, which would be no different than the security processes and controls for an IoT-enabled software solution.”
If providers find a cybersecurity problem with their RTLS system, what should they do?
GEVA: “Immediately contact your RTLS vendor. In our case, we maintain 24/7 support and our support group have direct access to our R&D team to investigate and respond to events. This is really a requirement in today’s environment for any HIT system, including RTLS.”
JACKSON: “While a cybersecurity threat with the Versus system would be rare, the company employs the necessary expertise and engineering resources to identify and secure a potential future threat. Versus works closely with provider organizations on cybersecurity that complies with both industry and local healthcare IT security policies. In the unlikely event a security threat is identified, Versus expertise is available to diagnose and remedy any potential cybersecurity issues.”
SULLIVAN: “It is very important to identify the problem as soon as possible. Quick, effective detection and classification of threats is the first step toward mitigating the problem followed by protection and recovery from the attack. Neutralizing threats will depend on accurate analysis of the threat/attack. Since the RTLS system will likely be connected to the hospital’s network in some fashion, the hospital should follow its own internal processes for dealing with security breaches and resultant data/privacy requirements.”
CARNEY: “Ideally, a quality provider should have an incident response plan to help guide their reaction to a cybersecurity problem of any variety. Should an RTLS-related security problem occur, it’s critical to work with the manufacturer of the system(s) immediately. Basic steps are to diagnose the vulnerability, shut it down, remediate the problem effectively and address exposure appropriately. Time is of the essence with any security incident and the organization and its partner(s) must work quickly to preserve forensic evidence and prevent further exposure.”
CANNELL: “This will be determined by the individual hospital system’s wireless network security process. The key is to identify the problem as soon as possible as early detection is critical to minimizing impact. Once detected, the problem needs to be assessed for severity and addressed appropriately. Remediation action must be taken as quickly as possible, but what specific actions to take depends on the specifics of the problem. For a hospital RTLS system, it is important the hospital follow its own internal processes for dealing with such matters, including consideration of any data protection or privacy regulations or requirements that exist.”
MURTI: “Should a RTLS system be compromised, providers should quickly implement their emergency security procedures. The provider should bring the RTLS system into a safe operating mode — this would mean temporarily shutting down access to external networks, such as the internet or third-party systems.”
Finally, how realistic is it to ensure RTLS systems are secure and “hack-proof” so to speak, knowing that not even biometrics (e.g., thumbprint, ocular, facial) truly is secure because the system creates and stores a file of the biometric image, which can be accessed by hackers?
GEVA: “No system is 100 percent bulletproof, but the risks to RTLS systems can be managed and substantially mitigated through the technology and methodologies discussed earlier.”
JACKSON: “Complying with industry cybersecurity standards, applying network and system controls and ensuring applications are security-coded are the mechanics RTLS vendors must employ to assist in deterring a malicious event. However, establishing a ‘hack-proof’ system relies on the healthcare organization to understand techniques that deter harmful events, as well as to adopt, govern, and execute policies and procedures that take cybersecurity seriously. By working in concert on limiting accessibility to the computing systems, the networks they reside upon, the applications that are running, along with the ongoing monitoring of each, healthcare entities can establish a solid defense against potential threats.”
SULLIVAN: “No system is ‘hack-proof.’ By design, RTLS systems should consider what data they use and how that information is managed and protected. A good practice that helps ensure a compromised RTLS system carries little risk is to avoid duplicating data and keeping data separate until such time as it must be presented as information. Separating RTLS data from business/operations and personal data records whenever possible is also a good practice. Firewalls and data storage protections should also be employed. Also, network access policies should always be strictly enforced. Maintaining security is especially challenging as the capabilities to attack systems evolves along with the very technologies used to secure networks and RTLS systems. A simple and often overlooked part of an effective security solution involves the diligent management of system access to employees, contractors, consultants and other parties. Organizations that minimize potential risks will also minimize overall damage.
CARNEY: “New hacks and cyberattack strategies arise every day, so even if a system has the ultimate security today, that’s not necessarily going to be true tomorrow. It’s imperative to evolve with criminal trends and tactics just as those criminals evolve with industry standards and developments. Keep up with best practices and modern technical tools for protecting data, stay abreast of the news, and ensure that all systems are patched in a prompt manner. Remaining vigilant and alert is the best defense to a hack when combined with solid technology practices, inside and out of an RTLS system.”
CANNELL: “Encompass uses Wi-Fi and thus inherits the security level of the hospital’s own network. However, by utilizing BLE beacons that only broadcast their MAC identifier, an extra level of security is achieved. There is no personal or private information included in the BLE broadcast packet, and the RTLS information is only achieved when the BLE beacon ID is matched via a prior knowledge to the asset information stored outside of the hospital infrastructure in the GE Microsoft Azure Cloud managed infrastructure. In the case of Encompass, security is achieved via the system architecture design and the latest wired and wireless security protocols.”
MURTI: “One of the key principles of cyber security is to develop a system where it would be a more expensive and resource-intensive process for hackers than the benefit they could get out of the hack. This principle also applies to RTLS systems. The system should be designed so that the cost of hacking an RTLS system far exceeds the benefit.”
Rick Dana Barlow | Senior Editor
Rick Dana Barlow is Senior Editor for Healthcare Purchasing News, an Endeavor Business Media publication. He can be reached at [email protected].