Friday, December 13, 2019

Top 10 healthcare IT cybersecurity recommendations from HIMSS forum.

The HIMSS Healthcare Security forum in Boston is where the CISO’s (Chief Information Security Officers) come together to listen to their peers, government representatives and vendors on what keeps them up at night. And yes, stories about security and privacy breaches are kind of scary as they often create significant damage to the reputation of their institutions and cause financial loss, often in the form of penalties, but even more in recovery costs. For example, as one of the speakers told us, a stolen laptop that had more than 10,000 unencrypted emails from one of their physicians resulted in a $300,000 fine but also required hiring 30 temps to go through each individual email to find the 4,000 that had significant PHI and had to be notified. This incident amounted to a direct cost of more than $1 million dollars.

The best part of this conference, however, was not the swapping of anecdotal stories about breaches but learning what a hospital should be worried about the most, and what should be low on the priority list because one might feel overwhelmed with the many potential threats and breaches.

Here is my top 10 take-aways:

1.       Zero-day events are over-rated. A zero-day event is the first time that a vulnerability is made known before a security patch can be installed, during which time the weakness can be exploited by a hacker or malware. However, it is rare for exploits to take advantage of these zero days on short notice, however, there was one that was identified and exploited within one hour. By  far, the majority of breaches are due to weaknesses that were known for a long time and people had not gotten around to fix them for months or longer. Case in point, the Wannacry ransomware attack that infected 70,000 devices at the NHS hospitals in the UK for a few days in May 2017 was the result of a Microsoft security flaw which had a patch available for several months.

2.       Put pressure on medical device vendors to allow for end-point security. Most large medical device vendors refuse to allow a hospital IT department to put any software or agent on its devices, let alone security related software. However, if you negotiate it upfront as part of the purchasing process and/or are a big enough player in the provider field, they can be swayed to do this. The argument that it invalidates their FDA approval is a myth that is used by vendors inappropriately. Most medical devices use an embedded OS, VxWorks, which is the most common real time operating system in use. There are actually 11 vulnerabilities that have been discovered in the underlying network software used by VxWorks, aka the “Urgent/11,” which has resulted in a FDA safety communication bulletin.

3.       Network segmentation and monitoring is essential. If you are a small hospital and have no leverage with your vendors to negotiate end-point security and/or have old legacy devices, the next best step is to monitor these devices externally. The reason for monitoring is that many of them have obsolete operating systems (XP, Windows 7 or old embedded OS’s) and are vulnerable for exploitation, and by the way, telling your hospital or radiology administrator to replace a CT or MR which cost a $1 million+ because it has a security vulnerability is almost certainly not going to fly. This not only affects medical devices; it also can be an lab system running an old database or webserver (notably Apache) that is obsolete as well.
In these cases, there are two bywords to live by, micro-segmentation and zero trust. Micro-segmentation allows for networks to be configured using software such that certain devices only talk with each other. If a device or application moves, the security policies and attributes move with it. Zero trust means that it is not sufficient to only protect the perimeter; nothing can be trusted anymore as devices might become infected as well, so it shifts the focus to internal protection.

4.       Most password schemes are often pretty much useless. A vendor demonstrated that an encrypted 6-character password using SHA-256, which had the required upper and lower case and non-character, can be cracked in less than one minute using open source tools on a relatively fast server (not even a supercomputer). In addition, to the fact that 52 percent of people use their birthdays, names of their kids, spouses or pets as passwords, with the first character being the uppercase, followed by a “1” and special character “!, which are easy to guess by anyone browsing their Facebook profile in case of a targeted attack, many re-use their passwords.

Almost everyone’s account has been hacked at some point in time, whether it is from your Target account, Equifax account, Bank-One, or any other major breach in the past, so if you use the same password, someone will now be able to access your current bank, Facebook, retirement or other account you might have. One should make sure to use more advanced password encryption and, even better, two-factor authentication or, best, biometric identifiers. In addition, passwords should be changed at a minimum every 90 days (the generally recommended 30 days was suggested as being overkill).

5.       Inventory and purchasing management is critical. One needs to know what devices are purchased, make sure they meet basic security requirements, and know what is connected to the network at what location. Not only do you need to know what devices are connected, you also have to know its “typical” behavior. For example, a CT scanner might access an EMR for a worklist and send images to the PACS. If it suddenly starts to query the hospital billing system or tries to send images to an IP address in Russia, there is an obvious issue.

Characterizing behavior is often done using a network sniffer such as Wireshark. Network security tools can monitor this behavior and there is a good opportunity to use AI to “learn” about the typical behavior so that any deviation from that behavior can be flagged. This goes back to the “zero-trust” principle as mentioned earlier.

6.       Manage and monitor your service providers. In one case, a service engineer connected a legacy CT scanner running XP to an external, unprotected connection to download upgrades and it was promptly infected with malware. This was fortunately detected, as the institution had proper network detection in place. In another case, an x-ray unit crashed its hard disk and, as the service engineer did not want to rebuild it from scratch, he used a cloned version from another nearby hospital, which was infected with malware. And of course, any USB flash drive with upgrades must be scanned for viruses. It sounds almost too hard to believe but one of the speakers had a major security incident because a physician who received a “free” USB stick at the airport in Moscow put it in his hospital PC, which caused great havoc.

7.       BYOD (Bring Your Own Device) is a major challenge. Of all hospitals in the US 71 percent allow some form of BYOD. Physicians like to use their own devices, whether it is for texting a colleague about advice, or taking a picture of a patient in the ER as evidence. In addition, it will not be unusual for a physician connecting an ultrasound probe to a smart phone, the latter may soon become a replacement for the stethoscope. I personally think that the remaining 29 percent of hospitals not allowing BYOD’s will not be able to hold out long. Allowing a BYOD has major implications. First of all, the attack surface is exponentially increased, second, there is a big resistance against IT “taking over” personal devices. Early attempts of IT protection actually caused interactions and interference with other usage. It wouldn’t be the first time that using a VPN that encrypts the clinical messaging impacts the operation of let’s say access by the physician to email or, even worse, Amazon or their brokerage account.

8.       Double your security budget. Compared with other industries, the amount of money spent on healthcare cyber security is many factors less, while the potential gain for hackers is many factors more. A medical record fetches 10 times the price of a credit card on the dark web. Security budgets have been decreasing to about 3 percent of the overall IT budgets in healthcare. Knowing that it would be impossible due to the limited resources of the hospital IT departments to boost the level of spending to that of other industries, it was concluded that you should spend at least twice as much as you do today. An external security consultant should be able to benchmark your current spending with your peers and other industries if you need to convince your management to do so.

That security can be a life-or-death factor was illustrated with the case of the UK ransomware incident where ERs shut down, which means that a stroke victim who has a 30- minute window to be treated could be left out. Imagine if that had happened in the US, it would be a perfect class action suit for negligence because IT did not keep up with patches causing serious patient harm.

9.       Limit your attack surface. There are several ways to do this, first of all reduce the on-device footprint, use Zero Footprint (ZFP) viewers, preferably using standard browsers, which means that as soon as you log off, all information is erased. If there is any confidential information on an electronic device which can easily be carried around and/or stolen or accessed, make sure all of it is encrypted.

Running every application in the cloud as is feasible, however with some caveats. Make sure that cloud access is guaranteed secure and there is redundancy and back-up. The overriding argument for the cloud is that any of the cloud providers have literally thousands of security professionals managing its security, which is no match for your own resources. However, moving to the cloud means that 80 percent of what your cyber security staff knows today becomes irrelevant, as managing the application in the cloud is basically an entirely new job. Therefore, be prepared to retrain your security staff.

Consumerization of healthcare is another major issue impacting the attack surface. Consumerization has many aspects, first, it requires a different mindset from providers. Intermountain Healthcare out of Salt Lake City has been a pioneer with this as it started to call patients “consumers” instead of patients. It hired an ex-Disney executive as Chief Consumer Advocate. Regardless of whether the institution is ready, patient/consumers will come to the hospital with their wearables that provide an EKG, heartrate and vitals recorded, and information provided by their apps that record their glucose level, or connects with their pacemaker recording cardiac events. Note that seven out of ten Americans track healthcare data on their mobile phones. If we want consumers to take responsibility for their health, they also should be able to contribute their own health data to their EMR’s and patient records used by healthcare providers. Imagine the security surface attack level that just has been exponentially increased again.

10.   Concentrate on high risk areas. There was a recent publication report that CD’s with DICOM images could be exploited by embedding an executable in the so-called pre-amble of these files. This caused quite a stir, however, when a new threat is discovered, one should analyze the potential risk, i.e. how likely is it that someone would “execute” a DICOM image file.

The same applies for potential hacking of pacemakers, infusion pumps, anesthesiology equipment and other devices that appear on YouTube videos or in the news as becoming targets for hackers. Instead of worrying about these high-visibility, low-likelihood threats, concentrate on your legacy equipment, worry about patch management, inventory your systems, segment your network and use security dashboards to manage your cyber security. Just implementing a dashboard causes the number of incidents to decrease by as much as 30 percent in six months.

Even though you might not directly be involved with cyber security, a conference such as the HIMSS security forum is very useful as it gives an inside perspective of the challenges we are facing in healthcare.

Here are some excellent resources if you would like to learn more: