While the theme this week set by the National Cybersecurity Alliance is specific to securing devices in healthcare, I would like to broaden the topic a bit in this blog. The healthcare industry has been an insatiable target by cyber criminals since I began my cybersecurity research and practice. It is a critical topic because, up until about five years ago, hacking was primarily about breaching corporate firewalls and exfiltrating data, distributed denial of services (DDoS attacks) as well as attacking personal and business computers. But now in the world of IoT, a malicious actor can actually kill someone—whether it be an automobile or an embedded medical device.
So, let us look a few different areas of vulnerability that exist in the healthcare facilities in the ambulatory and hospital environments:
- Medical devices
- Ransomware
- Information management and security
- Printing security
Medical Devices
There are two primary kinds of medical devices: stationary on-site devices and wearables. According to the US Food and Drug Administration (FDA) all legally marketed medical devices have benefits and risks. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks.
Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve healthcare and increase the ability of healthcare providers to treat patients. These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.
Threats and vulnerabilities cannot be eliminated; therefore, reducing cybersecurity risks is especially challenging. The healthcare environment is complex and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.
Here are a few examples from the FDA and DHS:
- SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices; FDA Safety Communication, March 03, 2020
- October 01, 2019, the FDA and the Department of Homeland Security Tuesday issued concurrent advisories alerting patients, healthcare providers, and manufacturers to cybersecurity vulnerabilities in IPnet, a widely used third-party software component that supports communication among computers.
- The group of 11 vulnerabilities, named URGENT/11 by security researchers, could allow a hacker to gain control of a medical device remotely and change its function, deny service, or cause information leaks or flaws.
- On August 29, 2017 the FDA announced the recall of Abbott / St Jude Medical's Accent MRI pacemaker due to cybersecurity vulnerabilities.
The Supply Chain
Healthcare providers cannot forget the supply chain. When vetting manufacturers and service providers, they must keep a keen eye on security, as well. Often a rush to market by manufacturers of devices encourages developers to cut corners. When it comes to code development, sometimes leaving back doors or root kits make the testing and the mitigation of errors quicker and easier, but these egregious mistakes can be an invitation to hackers. An important thing to keep in mind is that the average cyber-criminal has no conscience. Human life and condition mean absolutely nothing to them, and they will stop at nothing to get what they want.
For service providers, such as HVAC, transportation, third-party labs, and other contractors, service level agreements (SLAs) should require stringent attestations and accreditations that will ensure they must do their due diligence in screening employees and implementing security controls that (if breached) could lead direct consequences to the primary healthcare institution. Ransomware attacks often emanate from a careless employee who inadvertently falls prey to a phishing scam.
Ransomware
In recent weeks, the US military has mounted an operation to temporarily disrupt what is described as the world’s largest botnet—one used also to drop ransomware, which officials say is one of the top threats to the 2020 election. Trickbot was used last month in a damaging attack against a major health-care provider, Universal Health Services, whose systems were locked up by the ransomware known as Ryuk. The attack forced personnel to resort to manual systems and paper records, according to reports. UHS runs more than 400 facilities across the United States and Britain. Some patients reportedly were rerouted to other emergency rooms and experienced delays in getting test results.
A woman in Germany died last month when the hospital she went to for emergency care turned her away because it had suffered a ransomware attack; she died en route to another facility. It is unclear whether Trickbot was involved in that case, but it is said to represent the first death linked to ransomware.
You can only harken back to the WannaCry ransomware attack in 2017, which hit around 230,000 computers globally. One of the first companies affected was the Spanish mobile company, Telefónica. By May 12th, thousands of NHS hospitals and surgeries across the UK were affected. A third of NHS hospital trusts were affected by the attack.
So, these past and present examples confirm that the most prevalent choice of attack in the healthcare industry in recent times is ransomware. In response to this increase, it is crucial that they develop a proper disaster recovery plan and adequately educate their users on information security. With proper planning in place, a healthcare facility is not only more likely to survive an attack, but also more likely to decrease costs associated with an attack and mitigate the risk to its reputation.
Secure Information Management
Whether it be an outpatient surgical facility, doctor’s office, or hospital, protecting personal health information (PHI) is critical to remain compliant with the guiding principles of the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health (HITECH) Act encouraged healthcare providers to adopt electronic health records as well as improved privacy and security protections for healthcare data. This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules.
Maintaining the integrity of electronic medical records depends on systems that have a high degree of data protection controls in place, such as encryption, user authentication, and authorization using the principle of least privilege to gain access or modify PHI.
Secure content management systems also maintain high degrees of governance over these types of controls including (but not limited to) data classification. These systems also may include e-discovery features that can help healthcare institutions properly inventory their data. Finally, most systems also feature retention policy functionality and auditing capabilities though a centralized administration dashboard.
Printing Security
Not all data moves through a healthcare organization in electronic format. In any given day, printed documents with PHI circulate among staff and caregivers, and must be controlled with the same diligence as electronic data. In many cases, large hospitals still have a complex print server infrastructure that represents a huge labor burden on IT and Infosec teams to manage and secure properly. Those antiquated systems need to be modernized and consolidated with new universal print driver technology that presents a much less volatile attack surface for hackers. Preferred printing systems will include critical security features such as:
- User authentication and authorization
- Pull printing, where users must authenticate at a device to “pull” the print job so that sensitive printed output does not lie around unattended in printer output trays for prying eyes.
- By nature, traditional EHR and EMR systems were not designed to output raw data in a printable format. These systems need to provide the ability to convert raw data into printable formats—such as PDF, postscript, and PCL print languages—and transport them in encrypted formats, such as SSL/TLS and IPsec transport protocols.
- Healthcare organizations like hospitals and outpatient surgical facilities typically have roaming users (nurses, trauma care personnel, doctors, etc.) that need to be able to log into remote PCs at different locations throughout the facility, which requires virtual desktop (VDI) technology. The print management system should offer single sign on (SSO) capabilities to lessen the authentication burden for users who are often in a controlled chaotic environment. Saving lives can often equate to seconds and any time lost in this process can be catastrophic. Healthcare teams are often resistant to accepting any type of authentication process that requires manually entering PIN codes or passwords. Proximity card scanning with their normal facility badges is always an important criterion.
So, the challenges in securing healthcare organizations and their respective medical devices are daunting. It requires awareness and diligence on all sides of the issue: end users, administrators, Infosec teams, manufacturers and regulators. But if we continue to band together and not operate in separate bubbles, we can move a little closer to limiting the damage caused by this scourge. After all, the cyber-crime community has been successful because they did just that—organized crime moved underground and formed a brotherhood that worked together to dominate cyberspace over us eager and naïve technology zealots.
You can learn more about securing devices in healthcare by visiting The National Cybersecurity Alliance (NCSA) website and the Federal Food and Drug Administration (FDA) website.
To get involved with the NCSA and NCSAM, click here.
Get Caught Up
October Is National Cybersecurity Awareness Month: Kickoff
October Is National Cybersecurity Awareness Month: Week 1
October is National Cybersecurity Awareness Month: Week 2