The HIMSS Healthcare Security forum in Boston is where the CISO’s
(Chief Information Security Officers) come together to listen to their peers, government
representatives and vendors on what keeps them up at night. And yes, stories
about security and privacy breaches are kind of scary as they often create significant
damage to the reputation of their institutions and cause financial loss, often
in the form of penalties, but even more in recovery costs. For example, as one
of the speakers told us, a stolen laptop that had more than 10,000 unencrypted
emails from one of their physicians resulted in a $300,000 fine but also
required hiring 30 temps to go through each individual email to find the 4,000 that
had significant PHI and had to be notified. This incident amounted to a direct
cost of more than $1 million dollars.
The best part of this conference, however, was not the swapping
of anecdotal stories about breaches but learning what a hospital should be
worried about the most, and what should be low on the priority list because one
might feel overwhelmed with the many potential threats and breaches.
Here is my top 10 take-aways:
1.
Zero-day events are over-rated. A zero-day event
is the first time that a vulnerability is made known before a security patch
can be installed, during which time the weakness can be exploited by a hacker
or malware. However, it is rare for exploits to take advantage of these zero
days on short notice, however, there was one that was identified and exploited
within one hour. By far, the majority of
breaches are due to weaknesses that were known for a long time and people had
not gotten around to fix them for months or longer. Case in point, the Wannacry ransomware
attack that infected 70,000 devices at the NHS hospitals in the UK for a few
days in May 2017 was the result of a Microsoft security flaw which had a patch
available for several months.
2.
Put pressure on medical device vendors to allow
for end-point security. Most large medical device vendors refuse to allow a
hospital IT department to put any software or agent on its devices, let alone
security related software. However, if you negotiate it upfront as part of the
purchasing process and/or are a big enough player in the provider field, they
can be swayed to do this. The argument that it invalidates their FDA approval
is a myth that is used
by vendors inappropriately. Most medical devices use an embedded OS, VxWorks,
which is the most common real time operating system in use. There are actually 11
vulnerabilities that have been discovered in the underlying network software
used by VxWorks, aka the “Urgent/11,” which has resulted in a FDA safety
communication bulletin.
3.
Network segmentation and monitoring is
essential. If you are a small hospital and have no leverage with your vendors
to negotiate end-point security and/or have old legacy devices, the next best
step is to monitor these devices externally. The reason for monitoring is that
many of them have obsolete operating systems (XP, Windows 7 or old embedded
OS’s) and are vulnerable for exploitation, and by the way, telling your hospital
or radiology administrator to replace a CT or MR which cost a $1 million+
because it has a security vulnerability is almost certainly not going to fly. This
not only affects medical devices; it also can be an lab system running an old
database or webserver (notably Apache) that is obsolete as well.
In these cases, there are two bywords to
live by, micro-segmentation and zero trust. Micro-segmentation allows for
networks to be configured using software such that certain devices only talk
with each other. If a device or application moves, the security policies and
attributes move with it. Zero trust means that it is not sufficient to only protect
the perimeter; nothing can be trusted anymore as devices might become infected
as well, so it shifts the focus to internal protection.
4.
Most password schemes are often pretty much
useless. A vendor demonstrated that an encrypted 6-character password using
SHA-256, which had the required upper and lower case and non-character, can be
cracked in less than one minute using open source tools on a relatively fast
server (not even a supercomputer). In addition, to the fact that 52 percent of
people use their birthdays, names of their kids, spouses or pets as passwords,
with the first character being the uppercase, followed by a “1” and special
character “!, which are easy to guess by anyone browsing their Facebook profile
in case of a targeted attack, many re-use their passwords.
Almost everyone’s account has been hacked at some point in time, whether it is from your Target account, Equifax account, Bank-One, or any other major breach in the past, so if you use the same password, someone will now be able to access your current bank, Facebook, retirement or other account you might have. One should make sure to use more advanced password encryption and, even better, two-factor authentication or, best, biometric identifiers. In addition, passwords should be changed at a minimum every 90 days (the generally recommended 30 days was suggested as being overkill).
Almost everyone’s account has been hacked at some point in time, whether it is from your Target account, Equifax account, Bank-One, or any other major breach in the past, so if you use the same password, someone will now be able to access your current bank, Facebook, retirement or other account you might have. One should make sure to use more advanced password encryption and, even better, two-factor authentication or, best, biometric identifiers. In addition, passwords should be changed at a minimum every 90 days (the generally recommended 30 days was suggested as being overkill).
5.
Inventory and purchasing management is critical.
One needs to know what devices are purchased, make sure they meet basic
security requirements, and know what is connected to the network at what
location. Not only do you need to know what devices are connected, you also
have to know its “typical” behavior. For example, a CT scanner might access an
EMR for a worklist and send images to the PACS. If it suddenly starts to query
the hospital billing system or tries to send images to an IP address in Russia,
there is an obvious issue.
Characterizing behavior is often done using a network sniffer such as Wireshark. Network security tools can monitor this behavior and there is a good opportunity to use AI to “learn” about the typical behavior so that any deviation from that behavior can be flagged. This goes back to the “zero-trust” principle as mentioned earlier.
Characterizing behavior is often done using a network sniffer such as Wireshark. Network security tools can monitor this behavior and there is a good opportunity to use AI to “learn” about the typical behavior so that any deviation from that behavior can be flagged. This goes back to the “zero-trust” principle as mentioned earlier.
6.
Manage and monitor your service providers. In
one case, a service engineer connected a legacy CT scanner running XP to an
external, unprotected connection to download upgrades and it was promptly
infected with malware. This was fortunately detected, as the institution had
proper network detection in place. In another case, an x-ray unit crashed its
hard disk and, as the service engineer did not want to rebuild it from scratch,
he used a cloned version from another nearby hospital, which was infected with
malware. And of course, any USB flash drive with upgrades must be scanned for
viruses. It sounds almost too hard to believe but one of the speakers had a
major security incident because a physician who received a “free” USB stick at the
airport in Moscow put it in his hospital PC, which caused great havoc.
7.
BYOD (Bring Your Own Device) is a major
challenge. Of all hospitals in the US 71 percent allow some form of BYOD.
Physicians like to use their own devices, whether it is for texting a colleague
about advice, or taking a picture of a patient in the ER as evidence. In
addition, it will not be unusual for a physician connecting an ultrasound probe
to a smart phone, the latter may soon become a replacement for the stethoscope.
I personally think that the remaining 29 percent of hospitals not allowing
BYOD’s will not be able to hold out long. Allowing a BYOD has major
implications. First of all, the attack surface is exponentially increased,
second, there is a big resistance against IT “taking over” personal devices.
Early attempts of IT protection actually caused interactions and interference
with other usage. It wouldn’t be the first time that using a VPN that encrypts
the clinical messaging impacts the operation of let’s say access by the
physician to email or, even worse, Amazon or their brokerage account.
8.
Double your security budget. Compared with other
industries, the amount of money spent on healthcare cyber security is many
factors less, while the potential gain for hackers is many factors more. A
medical record fetches 10 times the price of a credit card on the dark web. Security
budgets have been decreasing to about 3 percent of the overall IT budgets in
healthcare. Knowing that it would be impossible due to the limited resources of
the hospital IT departments to boost the level of spending to that of other
industries, it was concluded that you should spend at least twice as much as
you do today. An external security consultant should be able to benchmark your
current spending with your peers and other industries if you need to convince your
management to do so.
That security can be a life-or-death factor was illustrated with the case of the UK ransomware incident where ERs shut down, which means that a stroke victim who has a 30- minute window to be treated could be left out. Imagine if that had happened in the US, it would be a perfect class action suit for negligence because IT did not keep up with patches causing serious patient harm.
That security can be a life-or-death factor was illustrated with the case of the UK ransomware incident where ERs shut down, which means that a stroke victim who has a 30- minute window to be treated could be left out. Imagine if that had happened in the US, it would be a perfect class action suit for negligence because IT did not keep up with patches causing serious patient harm.
9.
Limit your attack surface. There are several
ways to do this, first of all reduce the on-device footprint, use Zero Footprint
(ZFP) viewers, preferably using standard browsers, which means that as soon as
you log off, all information is erased. If there is any confidential
information on an electronic device which can easily be carried around and/or
stolen or accessed, make sure all of it is encrypted.
Running every application in the cloud as is feasible, however with some caveats. Make sure that cloud access is guaranteed secure and there is redundancy and back-up. The overriding argument for the cloud is that any of the cloud providers have literally thousands of security professionals managing its security, which is no match for your own resources. However, moving to the cloud means that 80 percent of what your cyber security staff knows today becomes irrelevant, as managing the application in the cloud is basically an entirely new job. Therefore, be prepared to retrain your security staff.
Consumerization of healthcare is another major issue impacting the attack surface. Consumerization has many aspects, first, it requires a different mindset from providers. Intermountain Healthcare out of Salt Lake City has been a pioneer with this as it started to call patients “consumers” instead of patients. It hired an ex-Disney executive as Chief Consumer Advocate. Regardless of whether the institution is ready, patient/consumers will come to the hospital with their wearables that provide an EKG, heartrate and vitals recorded, and information provided by their apps that record their glucose level, or connects with their pacemaker recording cardiac events. Note that seven out of ten Americans track healthcare data on their mobile phones. If we want consumers to take responsibility for their health, they also should be able to contribute their own health data to their EMR’s and patient records used by healthcare providers. Imagine the security surface attack level that just has been exponentially increased again.
Running every application in the cloud as is feasible, however with some caveats. Make sure that cloud access is guaranteed secure and there is redundancy and back-up. The overriding argument for the cloud is that any of the cloud providers have literally thousands of security professionals managing its security, which is no match for your own resources. However, moving to the cloud means that 80 percent of what your cyber security staff knows today becomes irrelevant, as managing the application in the cloud is basically an entirely new job. Therefore, be prepared to retrain your security staff.
Consumerization of healthcare is another major issue impacting the attack surface. Consumerization has many aspects, first, it requires a different mindset from providers. Intermountain Healthcare out of Salt Lake City has been a pioneer with this as it started to call patients “consumers” instead of patients. It hired an ex-Disney executive as Chief Consumer Advocate. Regardless of whether the institution is ready, patient/consumers will come to the hospital with their wearables that provide an EKG, heartrate and vitals recorded, and information provided by their apps that record their glucose level, or connects with their pacemaker recording cardiac events. Note that seven out of ten Americans track healthcare data on their mobile phones. If we want consumers to take responsibility for their health, they also should be able to contribute their own health data to their EMR’s and patient records used by healthcare providers. Imagine the security surface attack level that just has been exponentially increased again.
10.
Concentrate on high risk areas. There was a
recent publication
report that CD’s with DICOM images could be exploited by embedding an
executable in the so-called pre-amble of these files. This caused quite a stir,
however, when a new threat is discovered, one should analyze the potential
risk, i.e. how likely is it that someone would “execute” a DICOM image file.
The same applies for potential hacking of pacemakers, infusion pumps, anesthesiology equipment and other devices that appear on YouTube videos or in the news as becoming targets for hackers. Instead of worrying about these high-visibility, low-likelihood threats, concentrate on your legacy equipment, worry about patch management, inventory your systems, segment your network and use security dashboards to manage your cyber security. Just implementing a dashboard causes the number of incidents to decrease by as much as 30 percent in six months.
The same applies for potential hacking of pacemakers, infusion pumps, anesthesiology equipment and other devices that appear on YouTube videos or in the news as becoming targets for hackers. Instead of worrying about these high-visibility, low-likelihood threats, concentrate on your legacy equipment, worry about patch management, inventory your systems, segment your network and use security dashboards to manage your cyber security. Just implementing a dashboard causes the number of incidents to decrease by as much as 30 percent in six months.
Even though you might not directly be involved with cyber security, a
conference such as the HIMSS security forum is very useful as it gives an
inside perspective of the challenges we are facing in healthcare.
Here are some excellent resources if you would like to learn more:
