Medical Facilities-Related Control Systems, Medical Devices and Equipment

The Defense Health Agency (DHA) strategic goals are to support the Military Department’s Surgeon General (SG), enhance the DHA role as a Combat Support Agency, and optimize DHA internal business processes. The DHA provides Enterprise Support Activities (ESA) to meet these strategic goals. The DHA Facilities Division is one such ESA tasked with delivering medical facilities worldwide. As the Department of Defense implements the Risk Management Framework, and the increased dependency on the cyberspace domain in both combat and defense, it is critical that DHA’s Facilities Division develop and implement standards that reinforce security of Facility-Related Controls Systems and networked equipment. Doing so will improve standardization/reduce variation project-by-project, improve the cybersecurity for new facility construction, optimize investments in cybersecurity to balance security with lifecycle costs, and create flexibility for future modernization.

The DHA Facilities Division, the Health Information Technology (J6), and the Medical Logistics communities work together to deliver world-class cyber secure health care around the globe.

Health Information Technology (HIT) Division

The HIT has developed the Medical Community of Interest (Med-COI) Isolation Architecture which is a Joint Information Environment (JIE) compliant architecture to support global DHA operations.

The Med-COI when fully deployed will be a closed enclave with a single security architecture (SSA).
A Security Zone is a logically or physically separated area of the network with a clear boundary and access controls.
Devices and systems will be placed into security zones based on their security posture which dictates the IA controls to be applied. There may be multiple VLANs within a security zone.
Access controls consist of FW rules, IDS signatures, and router ACLs explicitly defining the end systems and protocols allowed for data communication.
Med-COI devices and systems will communicate with other devices and systems from both within and outside the Med-COI enclave.
Data communications between Med-COI devices and systems external to the Med-COI will always traverse the MEGs and depending on where the external device/system is located will also traverse either the IAPs, the MPGs, or TIC GWs.
Data traversing the various enclaves/GWs are subject to their respective IA controls.

Figure 1 - DHA Med-COI Isolation Architecture

The Med-COI Isolation Architecture consists of 12 Zones. Zone 6a is Medical Devices and Equipment (MDE), Zone 6b is Facilities-Related Control Systems (FRCS), Zone 9 is Purgatory/Quarantine, and Zone 12 is Test and Development Environment (TDE). The use of VLANs are typically employed within zones to further separate unique devices or systems associated with the same zone.

The Med-COI provides the foundation on which the Facilities-Related Control Systems (FRCS), Medical Devices and Equipment (MDE), and Electronic Health Records (EHR) systems can communicate with each other and ensure that sensitive FRCS operations data (temperature, humidity, air quality, power, nurse call, etc.), MDE (imaging, infusion pumps, pediatrics, etc.) are properly calibrated and functioning properly, and the EHR patient data is protected per the HIPPA and PHI requirements.

Zone 6a Medical Devices and Equipment (MDE) - Zone 6a is reserved for Clinical high-risk systems, devices and equipment generally referred to Medical Devices/Modalities. This zone also includes the terminal devices to interface medical equipment with a USB or Serial (RS-232) interface to the network. FDA systems or modalities in Zone 6 may have similar characteristics to standard, Clinical information systems but due to operational considerations related to their use in clinical/patient care, may not be separated from the medical equipment with which these systems may interface and so are placed in Zone 6. VLANs within Zone 6a, sometimes referred to as Departmental VLANs, include logical groupings of devices which typically communicate with each other, and support common modality or group of modalities related to the department’s clinical specialty, and also often communicate with a common upstream system(s), either locally or regionally, although rarely at the enterprise level.

Zone 6b FRCS - Zone 6b is reserved for Facility Related and Control Systems (FRCS), including SCADA, DLP, PLCs, and others as identified above. These systems fall into the same High-Risk category as systems in 6a; however, they are less likely to require general network access and often require additional physical isolation on the network.

Zone 9 Purgatory - This zone is a special use case designated as a temporary construct for systems or devices that must remain connected to the network to meet some critical mission or business requirement but do not meet standard criteria for connection to the network or an ATO has lapsed due to unresolved vulnerabilities that cannot otherwise be remediated or mitigated. Systems in purgatory are said to be “quarantined” in as much as access to or from these system to other devices on the network will be strictly limited based on critical mission need. In general, systems in purgatory will not be allowed to connect to any external enclave, the Intranet or NIPRNet. Access by users will be limited to admin access for maintenance or remediation. Zone 9 also contains the default VLAN for non-compliant systems that are not allowed to connect under a “comply-to-connect” implementation if the LAN electronics do not support a “null” or “000” VLAN ID.

Zone 12 Pre-Production/Test - Zone 12 will be available for temporary use or Pre-Production or test purposes for those capabilities that cannot be reasonably accommodated in a dedicated lab environment. These are capabilities which must be connected to the network, presumably for only a short period of time, as-needed to support testing of other system or more typically system interfaces so as not to impact a similar or the same system or device in production.”

DHA Facilities Division

The DHA Facilities provides guidance and resources via the World-Class ToolKit at: https://home.facilities.health.mil/.

The DHA Facilities Division is organized into four Portfolio areas:

PL 1: Portfolio Management
PL 2: Requirements Planning
PL 3: Design, Construction, and Activation
PL 4: Facility Operations

The DHA Facilities Division is responsible for almost 1000 facilities worldwide. Medical facilities are some of the most complex buildings built and are extremely sensitive to external environmental factors (weather, power, air quality, water quality, etc.) that can cause adverse patient care due to infectious disease (Legionnaires, Super Bugs, etc.).

DHA FRCS and MDE are cross-domain systems; most use Power over Ethernet (PoE) switches that are part of the FRCS to provide plug load power to the MDE. The MDE in turn have a cross-domain connection to the EHR system. Loss of power or IP connectivity directly impacts patient care.

Figure 2 – DHA Medical Treatment Facilities

Recent cyber attacks on medical care facilities have caused serious economic damage and directly impacted patient care. A cyber attack against the DHA FRCS, MDE or EHR could cause catastrophic damage to the facilities and injury or loss of life. Cybersecurity must now be planned and implemented across the facility lifecycle.

The DHA Facilities Division is responsible for developing the RMF guidance for medical facilities FRCS. The following documents have been developed to address cybersecurity procedures for FRCS, and MDE and will be posted on the World-Class Toolkit and the Whole Building Design Guide.

Standards for Cybersecurity of Building Communications, Electronic Safety and Security, and Building Control Systems

Standard Operating Procedure (SOP) - This document includes a detailed process for implementing this Standard Operating Procedures (SOP). This SOP is specific to the self-assessment procedures necessary to fulfill requirements of the RMF process for Assess Only and Assess and Authorize.

Standard Operating Procedure (SOP) for Facility-Related Control Systems (FRCS) Continuous Monitoring - This SOP establishes best practices for managing an FRCS while assuming a worst-case scenario of owning a system with little insight into its inner workings. Securing an FRCS relies on its ability to understand what is taking place in its systems. The end goal of this SOP is to provide procedures to owners and operators on detecting compromise within an FRCS. To achieve this result, a baseline of “normal” traffic and topological information must be created.

Procedures Manual - Standard Isolation Architecture for Cybersecurity of Facility-Related Control Systems (FRCS).

a. DHA occupied, sustained or maintained on-base assets containing systems that monitor and control building operations. These systems control access, monitor alarms and regulate building climate.

b. A designer, developer or operator, who is either military, civilian, or contractor, who supports work in the development, maintenance and operation of DHA FRCS systems.

c. Personnel who manage risk and protect DHA networks and Information Systems (IS).

Figure 3 – FRCS Med-COI Isolation Architecture Boundary

Using the Energy, Infrastructure and Environment EI&E FRC Master List, the DHA Medical FRCS were added and categorized, and the following Med-COI Zone 6b FRCS Sub-Zones were created.

Med-ICS SUB-ZONE - contains systems and subnets that control the function of the facility and do not access, use and / or manipulate data / information categorized as Life Safety, PII, Payments Information or PHI.

Med-LIFE SUB-ZONE - contains systems and subnets that control the function of critical facility systems that are life safety in nature or use, access and / or manipulate data / information categorized as Life Safety. These systems do not access, use or manipulate data / information categorized as PII, Payments Information or PHI.

Med-ESS SUB-ZONE - contains systems and subnets that control the function of facility electronic security systems. These systems may require access to and manipulate data / information categorized as Life Safety, PII, Payments Information and / or PHI.

Med-MED SUB-ZONE - contains systems and subnets that control the clinical and clinical support systems of a facility – this does not include PP Medical Devices (except where integrated into a system). These systems may require access to and manipulate data / information categorized as Life Safety, PII, Payments Information and / or PHI.

Med-PWR SUB-ZONE - contains systems and subnets that control facility power generation systems. These systems may use, access and / or manipulate data / information categorized as Life Safety. These systems do not access, use or manipulate data / information categorized as PII, Payments Information or PHI.

Med-COI ZONE 9: Med-PURG. Zone 9 contains existing legacy systems that cannot meet modern security standards and may be completely isolated from connectivity with other systems. These systems shall not use, access and / or manipulate data / information categorized as Life Safety, PII, Payments Information or PHI.

Figure 4 – DHA FRCS Med-COI Sub-Zones

Medical Logistics Division

The Medical Logistics Division is responsible for Medical Devices and Equipment and ensuring the equipment and instruments meet patient healthcare and cybersecurity requirements: https://health.mil/Military-Health-Topics/Business-Support/Medical-Logistics/Healthcare-Technology-Management-Medical-Devices

The following RMF guidance is currently under development and expected to be published in Summer 2018.

Standard Operating Procedure (SOP) for Medical Devices and Equipment (MDE) Assessment Procedures Manual – Provides a set of procedures for assessing the effectiveness of DHA MDE security and privacy controls based on NIST SP 800-53A Revision 4, to facilitate a more consistent, comparable, and repeatable assessments of security and privacy controls with reproducible results.

Standard Isolation Architecture for Cybersecurity of Medical Devices and Equipment (MDE).

a. DHA occupied, sustained or maintained on-base assets containing systems that monitor and control building operations. These systems control utilities and building access, support active and passive medical devices, monitor alarms and regulate building climate.

b. A designer, developer or operator, who is either military, civilian, or contractor, who supports work in the development, maintenance and operation of DHA MDE systems.

c. Personnel who manage risk and protect DHA networks and Information Systems (IS).

Guidance for Medical Devices and Equipment (MDE) Continuous Monitoring - Standardizes the implementation of a CM approach within the DHA MDE program to increase and sustain situational awareness of all MDE systems across the organization, to maintain an understanding of threats and threat activities and improve organization-wide risk management.

Using the FDA and DHA 1691 MDE lists, the DHA Medical MDE Zone 6a were added and categorized, and the following Med-COI MDE Sub-Zones were created.

- contains systems and subnets that that are Personal Property (PP), control the function of clinical and laboratory procedures, access, use and / or manipulate data / information categorized as PII or PHI but not Payment Card and where adverse cyber operation of the system does not immediately endanger human well-being.

- contains systems and subnets that that are Personal Property (PP), control the function of medical and laboratory imaging equipment, access, use and / or manipulate data / information categorized as PII or PHI but not Payment Card and where adverse cyber operation of the system does not immediately endanger human well-being.

- contains systems and subnets that control the clinical and clinical support systems of a facility not to include PP Medical Devices (except where integrated into a system). These systems may require access to and manipulate data / information categorized as PII, Payments Information and / or PHI and where adverse cyber operation of the system may endanger human wellbeing.

- contains systems and subnets that that are Personal Property (PP), control the function of critical clinical and laboratory procedures, access, use and / or manipulate data / information categorized as PII or PHI but not Payment Card and where adverse cyber operation of the system may immediately endanger human well-being.

- contains systems and subnets that that are Personal Property (PP), control the function of clinical and laboratory processes, access, use and / or manipulate data / information categorized as PII or PHI but not Payment Card and where adverse cyber operation of the system may or may not immediately endanger human well-being. This zone is utilized to allow for a flat network within a function of the facility that allows for robust “stand alone” or “isolated” operation when there may be compromises to other zones. For example, a pharmacy or surgical suite.

- contains systems and components that, once initiated, will never be connected to any other system or lacks connectivity features. These systems may use and / or manipulate data / information categorized as PII, Payments Information or PHI.

- contains systems and components that, once initiated, will periodically be connected to other systems though will not maintain am always on connection. These systems may use and / or manipulate data / information categorized as PII, Payments Information or PHI.

- contains existing legacy systems that cannot meet modern security standards and may be completely isolated from connectivity with other systems. These systems shall not use, access and / or manipulate data / information categorized as PII, Payments Information or PHI.

Figure 5 – DHA MDE Med-COI Zones