Protecting Hospital Networks From 'Code Dark' Scenarios

According to a 2020 memo from the Commonwealth of Massachusetts Department of Public Health, a code black event is "defined as when a hospital's Emergency Department is closed, as declared by an authorized hospital administrator, to all patients (ambulance and walk-in patients) due to an internal emergency."

The memo goes on to list a number of situations constituting internal emergencies, including:

Code Black/Code Dark

On April 20, 2022, the Bay State added another item to that list, when code black events were declared at hospitals in Worcester and Framingham, following cyberattacks on Tenet Healthcare Corporation facilities there and in Florida. According to HealthcareITNews, "Tenet immediately suspended user access to impacted IT applications, executed extensive cybersecurity protection protocols and took steps to restrict further unauthorized activity." HealthITSecurity later reported that the attack campaign included a ransomware infection that ultimately cost Tenet $100 million in lost revenue during the second quarter. 

Now, cyberattacks have their own emergency response designation, called "code dark." A recent Wall Street Journal article described code dark procedures at Washington, DC's Children's National Hospital, during which, while IT staff respond to the event, hospital employees are trained to turn off Internet-connected medical equipment to keep an attack from spreading. Under such conditions, the hospital's CISO said, "If we call a code dark, the entire hospital knows to disconnect devices anywhere they can." 

Patient Safety at Risk

That's not especially comforting, given healthcare providers' reliance on medical devices. Hospitals are prime targets for threat actors, and especially for ransomware gangs. They know healthcare providers are under great pressure to maintain continuity of operations and to protect patient safety, and so are most likely to pay the cost to unlock medical systems, devices, and data, rather than risk an unfortunate outcome. A new study by the Ponemon Institute underscores this risk, finding that hospitals falling victim to a ransomware attack experience a decline in care quality and outcomes, including longer patient stays, test and procedure delays, and even more complications following care. 

Healthcare organizations invest aggressively in connected devices to improve facilities management and administration, and to provide a higher quality of patient care. Those devices include the Internet of Things (IoT), the Internet of Medical Things (IoMT), and operational technologies (OT). A recent study by Juniper Research forecasts that the average hospital will have as many as 3,850 IoMT devices connected to their networks by 2026. Every device that connects increases the complexity of a hospital's IT estate and its attack surface.

Zero Trust for Connected Devices Starts With Asset Inventory and Baselining

The proliferation of these devices in a hospital's IT infrastructure requires meticulous attention be paid to the risk each connected device adds to the network. Without the means to discover, monitor, and manage every connected device, the security of an organization's devices, data, and even patients themselves could be compromised. That makes it imperative to translate the elements of zero trust (never trust, always verify, and least privilege access) and apply them to a connected device security strategy.  

The first step in doing that requires knowing your attack surface. The adage "You can't protect what you can't see" holds true here, making complete device discovery and classification essential and foundational to protecting healthcare environments. This can range from traditional IT devices and medical devices that cannot be discovered via traditional means to elevator and HVAC control systems that are core to hospital operations. The approach needs to be "passive" so it doesn't impact device function.  

The next step is mapping transactions. With connected devices, this starts by using machine learning to establish and understand a baseline of how each device should behave. Since most IoT, IoMT, and OT devices operate within deterministic parameters, having an accurate understanding of normal, safe behavior makes it easier to recognize anomalous behaviors that represent early indicators of compromise. And when you can accurately detect an attack or risky behavior, you can automate policy enforcement that isolates compromised or at-risk devices. 

Automate Response and Policies With Machine Efficiency

That granular device profile — what a device is, how it's communicating, where it's connected, and its normal patterns of behavior — contains the elements you need to architect your zero-trust policies and response — both reactive and proactive. The device context allows you to quickly respond to an attack and minimize and contain the blast radius. It also allows you to maintain operational continuity by keeping gear in service rather than shutting things down that might not need to be taken offline, or that could put patient care at risk if disconnected.  

For example, rather than taking a connected medical device offline if it is being used by a patient, dynamically generate zero-trust segmentation policies that can quickly isolate the device on the network and allow its "sanctioned" behavior to continue. In contrast, a compromised surveillance camera communicating to a malicious domain can be blocked and taken off the network immediately, without risking an adverse medical outcome. 

Enlightened, Not Dark

A code dark protocol that asks doctors, nurses, and medical support staff to disconnect devices is one way to deal with a cyberattack, but it's not the best way. Instead, use an enlightened approach that applies a zero-trust strategy to protecting connected devices. By starting with an asset inventory of devices in the network, baselining of device behavior, and leveraging automation to respond to threats and quickly stop lateral movement, you can maintain a higher security profile without compromising healthcare quality. When that is the model, network and patient safety can be maintained at a high level, even in the middle of a cyberattack, without pulling the plug.