With the widespread adoption of digitised systems, the healthcare industry faces unprecedented cybersecurity challenges. According to the Australian Cyber Security Centre (ACSC)’s Annual Cyber Threat Report, the sector reported the highest number of cybersecurity incidents—excluding government sectors—during the 2021-22 financial year.1 In this era of digital transformation, and as telehealth, electronic medical records (EMR), and connected medical devices become increasingly integral to patient care delivery, cybersecurity risks have escalated drastically. Yet, an area that commonly lacks attention is building management systems (BMS).  

BMS regulate critical hospital functions such as temperature control, lighting, power supply, and security systems. However, as these once standalone systems increasingly integrate with the Internet of Medical Things (IoMT), they also open backdoors to cyber threats which, if exploited, could significantly impact patient safety and service delivery.  

Severe impact of BMS failures on patient safety  

The importance of a BMS is often underestimated until something happens. For example, faulty temperature controls could result in the destruction of temperature-sensitive medications, causing disruption to treatment plans. More alarmingly, these failures can cause harm to delicate immunotherapies that play a critical role in fighting life-threatening diseases. 

Though a critical consideration, failures aren’t limited to temperature controls. The reality is that cyber-physical systems—from security cameras and physical access controls to heating, ventilation, and air conditioning (HVAC) systems, lighting, fire alarm systems, power, elevators, and other essential mechanical or electrical equipment—form the backbone of healthcare delivery.  

These interconnected systems create a complex web; if one fails, the entire healthcare delivery can be disrupted.  

Cybercriminals exploiting vulnerable BMS 

A successful attack on a healthcare BMS will cause significant and potentially catastrophic disruption, making it an appealing target for cybercriminals. For example, threat actors could exploit vulnerabilities in a BMS as an entry point into a healthcare facility’s network. Once inside the network, they could launch malicious attacks on other connected systems, stealing patient data or disrupting essential, life- and mission-critical services.  

Unfortunately, BMS are often overlooked by IT security teams, who focus more on traditional threat targets. However, cybercriminals have begun to recognise the critical role of BMS in operations, as well as the potential gateways to other protected infrastructure.  

Many facilities operate with older BMS, particularly HVAC systems nearing end-of-life. Given the hyper-connectivity of today’s world, these systems are rife with vulnerabilities. Though firmware updates are a suggested preventative measure, the complexity and risk of downtime makes this a time-consuming process, leaving compensatory mitigation as the typical, although not as effective, go-to strategy for these legacy systems.  

Overcoming security challenges in healthcare BMS  

Despite the inherent cybersecurity risks, healthcare organisations can take several steps to ensure that the BMS is secure. These include:  

  • Prioritise greater visibility: comprehensive knowledge of the network is crucial for security. Healthcare providers must strive to understand their connected BMS assets thoroughly. By gaining in-depth visibility into these systems, their functionalities, and communication patterns, organisations can identify potential vulnerabilities and allocate security resources more effectively. 
  • Establish efficient vulnerability management: having identified potential vulnerabilities, it’s critical to determine which ones pose the most significant threat to the organisation. With an understanding of various BMS devices and their specific vulnerabilities, organisations can tailor their security measures and patch management strategies accordingly. 
  • Achieve network segmentation: to limit the potential spread of breaches, it’s crucial to incorporate network segmentation into the overall cybersecurity strategy. By assigning each device, including those within the BMS, to an appropriate network segment, organisations can enhance their overall security posture and limit potential exposure in case of a security incident. 

Facing the future of healthcare cybersecurity  

The growing interconnectivity and digitisation of healthcare operations presents both opportunities and challenges. As healthcare organisations continue to integrate more connected devices into their operations, and as the BMS becomes increasingly integrated with other aspects of hospital infrastructure, the cybersecurity risks grow. However, with the right approach, these risks can be managed.  

The development and implementation of a comprehensive cybersecurity strategy is critical for healthcare providers. This goes beyond simply protecting patient data or ensuring the seamless functionality of medical devices; it involves safeguarding the essential BMS that forms the backbone of healthcare delivery. Doing so will help healthcare organisations confront these hidden cybersecurity challenges head-on to ensure patient safety and service integrity. 

To learn more about cybersecurity in building management systems send us an email to info@connected-health.com.au