The world is changing; and while there may never have been a time when that statement was not true, it seems particularly true today. Change these days seems to be a lot more aggressive and disruptive than ever before. In the healthcare arena, the shadow of impending change hangs over the industry like a tidal wave — evoking simultaneous senses of intimidation, awe, excitement, and fear. For many, there is an eerie sort of realization that they will either be crushed and washed away or ride the tsunami of change to new horizons.
As is so often the case with change, the speed and trajectory is largely attributable to technology. Medical technology, sometimes referred to as "MedTech," aims to improve the quality of care by delivering more accurate diagnoses at earlier stages, making treatment less invasive and more effective, while reducing recovery times. According to Wikipedia, "Medical technology may broadly include medical devices, information technology, biotechnology, and healthcare services".
In recent years, we've witnesses those domains — medical devices, information technology, biotechnology, and healthcare services — converge and expand rapidly through the Internet of Medical Things, or IoMT. The subset of IoT belonging specifically to healthcare and its supporting technologies, the Internet of Medical Things is made up of smart, connected devices that automatically collect, process, and digitally relay information from the physical world through a shared network infrastructure.
Networked medical devices give healthcare professionals the ability to be much more accurate with their treatment regiments, far more efficient in administering care, and way quicker collecting and responding to biomedical information.
As a result, IoMT technologies are currently exploding, both in terms of their popularity and capabilities. In fact, BI Intelligence estimates that there are around 330 million connected medical devices in deployment throughout the world today, with a further 125 million devices expected to be installed this year. Put simply, IoMT is redefining the practice of medicine. And while this new frontier of medicine is very exciting and hugely promising, it will not be won without some bumps and bruises along the way.
The Problem In General
The most likely cause for most of those bumps and bruises is cybersecurity. Cybersecurity refers to the strategies and actions developed to protect IT systems from code-based attacks or network intrusions. In medical terms, cybersecurity is the treatment — both preventative and curative — for the digital threats that ail you.
Malware, viruses, and hackers have been around for practically as long as interconnected computer networks. By most accounts, the first serious computer virus emerged a little over 30 years ago in the form of the Morris worm.
A Can of Worms
Written by Robert Morris, the Morris worm was a bit of code that was allegedly designed to map the Internet as it existed in 1988. The goal of the code was to copy itself to every Internet host and report back to sender information from each infected computer. To make its way into the target computers, the code exploited known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as well as weak passwords.
Once the code succeeded in penetrating a given computer, it would use it as a launch pad to distribute itself to all the other terminals in that computer's local network. To keep the whole process moving along in an orderly fashion, before copying itself to a computer, the worm would ask the computer if it already had the code installed. This is where things went wrong.
Morris was concerned that some system administrators might not want to participate in his experiment and would run a process to automatically answer "yes" when asked if the worm was already installed (whether or not it was true). This would protect those computers against the worm and prevent Morris from getting an accurate view of the Internet's topography.
As the story goes, in hopes of neutralizing the potential impact of such interference, Morris tweaked his code so that one out of every seven times the worm asked a computer if it already had the code, it would copy and install itself to the computer regardless of the answer. This opened the door for multiple copies of the worm to be installed on the same machine, with the likelihood for such occurrences rapidly compounding.
As the worm spread, its rate of replication quickly accelerated to the point that many of the infected machine had thousands of copies of Morris' code running in parallel. Processing, storing, and replicating the code overwhelmed the computers to the point that they would be in a constant state of crash.
Some 2,000 computers were infected within the first 15 hours alone. Bear in mind that that's out of the total of some 60,000 machines worldwide that were hooked up to the internet at that time!
As with any virus, once a critical mass was reached, the Morris worm began to grow exponentially. To stop its spread, technicians needed to totally disconnect and wipe the computers, restoring them to factory conditions.
For days, the whole Internet needed to be partitioned, with regional networks disconnecting from the NSFNet backbone and from each other to prevent re-contamination. All told, it's not known quite how much damage was inflicted by Morris, though some estimates place the figure at $10,000,000 in the currency of the time.
That Which Has Been Is That Which Shall Be
I share this story because it offers a perfect starting point for a cybersecurity 101 lesson plan. Despite happening more than 30 years ago, the story is still remarkably relevant. Not only do most modern viruses work in a manner similar to the Morris worm, but the image of a single compromised terminal quickly ravaging whole networks still resonates too. It's a cautionary tale about the importance of across-the-board network hygiene.
Perhaps most significantly, our basic response methods remain much the same today as they were in 1988. While back then they had to break the whole of the internet apart and scrub each segment down before carefully reconnecting them, today, we rely on well-defined LAN and VLAN architectures to make isolation and disinfection more manageable and less painful. Still, it's the same idea: quarantine, clean, re-connect.
Of course, a lot has changed since 1988. The Internet is vastly more widespread. Attacks are much more common and much more malicious. Motives are more diverse. And we are much more profoundly dependent on connected devices than ever before.
Nothing illustrates that dependence more poignantly than the Internet of Medical Things. The connectivity of smart, IP addressable devices, opens them up to remote access and manipulation. At the same time, practically all modern healthcare operations are built with that connectivity infrastructure as their backbone. Remove networked equipment from the equation and most hospitals simply would not be able to function. And when hospitals don't function, people die.
The Problem In Particular
Great progress has come at the hands of digitization and the world of healthcare has been pushed immeasurably forward as a result. At the same time, this increasingly digital and internet-connected nature of healthcare has opened clinical facilities to tremendous risks. Cyber attacks on hospitals are on the rise, affecting the smooth-running of hospital operations, and putting patients at risk. In fact, according to a 2016 Poneman Institute report, nearly 90% of hospitals saw patient data breached in the two years prior to being surveyed.
Since 2016, things haven't gotten any better. Breaches increased by some 9.8% in 2017 and early indications out of 2018 show it being even worse. To put that into perspective, on an annual basis, the healthcare industry loses an estimated $6.2 billion to data breaches and associated expenses. And according to NetDiligence's annual Cyber Claims Study, the average cost to an affected HDO is approximately $537k (compared to an average cost of $394k across all sectors).
The data is unambiguous. Cyber insecurity is hitting healthcare particularly hard.
Why Are Hospitals a Target?
The obvious question is why. Why is healthcare the sector of the economy most targeted by hackers? Why are there more attacks against hospitals than banks and governments?
To answer these questions, you need to answer two other questions:
- What do cybercriminals stand to gain?
- What makes for a successful attack?
One important reason why healthcare is more targeted than other sectors is because it puts so many different malicious motives at play within the same arena.
There's the prospect of direct financial gain by stealing and selling medical records, or digitally holding equipment for ransom, or stealing PCI, or even stealing someone's identity and opening new lines of credit.
The increasingly active and brazen theater of cyberwarfare plays in as well. It's not hard to imagine one state undermining civil confidence in another by stirring up a healthcare related panic. Nor should we disregard the possibility of terrorism as a motive — with destruction itself being the objective and hospitals offering a relatively short and straight path to the finish line.
There's also the prospect indirect financial gain factoring in: someone might want to steal and leak information about a keyman (imagine the market reaction if you woke up to news of Warren Buffet being terminally ill); or hack a publicly traded HDO for which they hold a short position; or create demand for a cybersecurity solution. There's no shortage of possible scenarios.
Then there's the data itself. Someone might want to publicly release private information to embarrass a foe. Or people may want to get their hands on vast amounts of data to improve their data modeling for business or research purposes.
Finally, there's the murder motive. Hack an infusion pump and you can easily kill someone. Sure, there will be a digital fingerprint that could possibly trace back to you with good computer forensics, but chances are no one would ever think to look for it. Though it sounds like something out of a bad thriller novel, this frightening possibility has been demonstrated as far back as 2015, when hackers killed a simulated human by turning off its pacemaker.
Success Breeds Success (For Attackers)
Such an abundance of active motives means that there are a lot of people interested in attacking healthcare organizations and looking for a way in, so to speak. Unfortunately, ways in aren't very hard to find — making it comparatively easy to successfully hack healthcare.
Forced digitization leads to security oversights
For one thing, many healthcare organizations, especially in the United States, have found themselves legislatively compelled to digitize — often in a rapid, poorly planned, and out-of-process manner. More specifically, with the arrival of the Affordable Care Act, hospitals and medical centers had to overhaul their standard operating procedures and systems in order to satisfy electronic medical record requirements (among other stipulations).
Over the course of several years, EMRs went from a being a relatively fringe modernization project to an absolute obligation for all hospitals across the country. For major medical centers — large, dilatory and bureaucratic organizations, afraid of change and built on legacy processes and technologies — that sort of transition is seldom smooth or easy. Driven more with compliance rather than common sense in mind, in many cases data systems were put in place before any security architecture could be designed and deployed around them.
With millions of unprotected or under-protected medical records running through hospital IT networks, bad actors found themselves suddenly awash in attack paths.
Patchwork infrastructure doesn't seal well
For another thing, there's the fact that most hospitals are built piecemeal over decades — adding buildings and wings one at a time to an interconnected and often sprawling campus layout. Patchwork infrastructure, developed and enmeshed over years, tends to leave gaps, asynchronicities, and incongruities. This is as much the case for IT as it is for HVAC; and those patchwork problems can give malicious parties the openings they need to slip into your network.
Multi-vendor, multi-device type, multi-protocol mayhem
Even more fundamentally, the medical technology landscape is a complicated one — replete with a plethora of device types, each available through a variety of different manufacturers, and all patched together to meet interoperability standards.
While it may be obvious that different device types work differently and are subject to different network norms, it's probably less obvious that different manufacturers design essentially the same devices to use very different — and often proprietary — communication technologies and protocols. These facts combine to create digital environments that are not only opaque, but wholly unique to the world of healthcare.
Because of the differences in how medical device models and types communicate, security tools built for normal IT environments may not recognize the important and subtle behavioral distinctions that might suggest trouble in a healthcare environment.
What's more, because many of the devices utilize communication protocols unique to the healthcare space and/or unique to specific manufacturers, standard security solutions simply don't speak their language, and therefore lack the necessary insight to intelligently and dynamically respond to conditions in the network. In a medical environment, Network Access Control tools and firewall are just as strong as ever, but they're considerably dumber. They simply lack the context-awareness to be properly leveraged.
In other words, if a hacker happens to know the ins and outs of a given device's communication protocol, he or she can fairly easily open a line of communication with that device, penetrate the network, and spread the infection before anyone notices, isolates, or scrubs the affected segment.
Publicly accessible facilities leave physical access points largely indefensible
Hospital's are open to public. You're sick or you're hurt, just show up and we'll take care of you. That's the basic premise.
From the Latin hospes, a hospital is a facility that hosts and cares for those in need. Restricting physical access to devices or other network endpoints is all but impossible in such a publicly accessible and bustling environment. This too opens vulnerabilities and makes executing attacks considerably more straight-forward.
In the Moment, Cybersecurity is Often Less Pressing
Since so many of the people taking up hospital resources at any given moment were admitted without prior appointment (think medical emergencies), it is very difficult for administrators to anticipate asset utilization rates. And without knowing when a devices can be safely taken offline, it's impossible to plan downtime.
If you can't plan downtime, you can't update device software or implement security patches. Over time, this obviously exposes you to serious risk, but at any given moment you won't want to tell patients to hang tight while you service a machine that serves its critically needed medical function perfectly well.
Further to the point, with the most critical medical devices being the same ones that typically enjoy the longest deployment lifespans, deprecated and unpatched software is common for long stretches of time — keeping attack vectors open "in the wild" of your healthcare operation.
Legacy devices weren't built for this
There is also the fact that advanced medical equipment tends to be highly complex and expensive. Because of that, many devices — such as MRI machines, X-ray machines, and spectrometers — are designed for a long lifespan. This is a good thing for resource and cost management, CAPEX planning, and business continuity. But it is a very bad thing when it comes to cybersecurity.
A lot of old technology is built with open network operability, lacking any security measures or control because it was built long before anything resembling today's threat landscape emerged. Sometimes, IT teams might not even know that those old machine are network enabled — further threatening security. Bottom line: old machinery is fundamentally ill-equipped to keep pace with modern cyber threats.
We all make mistakes... especially when tired, overworked, and under-trained
If that weren't enough. There's also the human factor to consider. In fact, according to a report from Verizon, healthcare is the only industry where insider threats outnumber external threats (56% to 44%). There are a few specific things to bear in mind here:
- Hospitals are super stressful places by their very nature, and stress leads to more human error. Whether it's opening an email you should have known was phishy, misconfiguring security policies, or placing a device in the wrong VLAN, you simply can't expect people to go without making mistakes in such a high intensity environment.
- Hospitals need to run 24/7. As such, they have more total staff, and the staff on-duty is often more tired —working long shifts around the clock. More staff means more opportunity for human error and greater exhaustion, similar to stress, leaves people more error-prone.
- Basic cyber awareness is really really low among hospital staff. Most hospitals don't provide any mandatory cybersecurity training sessions and many employees have no idea what a phishing attack is, let alone how to spot one, or what to do after you realize you took the bait.
All of these things increase the likelihood of success for an attack against a healthcare operation. With so many reasons to attack and so many ways in, it's really not surprising that healthcare is the most breached industry. But where exactly does that leave the men and woman tasked with keeping hospitals safe?
The Standard Solution
Many of the same reasons that make healthcare easy to attack also make it hard to defend.
Traditional computer security architecture tends to focus on "the perimeter". In a perimeter security paradigm, defenses are set up surrounding the network and all requests to enter the network need to be vetted and processed through a port of entry — usually in the form of a switch, router, or wireless access point.
You can think about this approach as a type of border wall, called a perimeter firewall. If incoming traffic is determined to not abide by the perimeter firewall's rules of entry, the traffic is blocked and cannot access your internal network.
If insider threats were not an issue, and if this perimeter were unchanging and in place from day one, and if this perimeter can be assumed to be 100% effective at all times (past and future), well then a perimeter defense system would work perfectly. Unfortunately, you can't really count on any of that; which is why most modern networks utilize Intrusion Prevention Systems, Intrusion Detection Systems, and micro-segmented internal traffic architecture to prevent, detect, and contain threats that originate internally or slipped past your perimeter defenses.
Unlike perimeter security paradigms, micro-segmentation assumes threats are everywhere. Micro-segmentation allows you to redraw new perimeters concentrically within the network around strategic assets and workflows. These micro perimeters limit access to each service running on each and every asset — hence reducing the attack surface.
LANs and VLANs are the means through which micro-segmentation is typically implemented. Local Area Networks and Virtual Local Area Networks are set up around specific segments in the network — restricting communications to and from the devices within that segment to operationally relevant devices and workflows.
When micro-segmentation is properly implemented, attacks can be stopped by shutting down and cordoning off the lane of traffic in which the threat was detected. Using your Security Information and Event Management system, you can then inspect and clean the quarantined micro-segment.
In combination with firewalls, IPSs, and IDSs, micro-segmentation is an extremely effective solution. Still, at scale and in complex environments, this approach sees rapidly decreasing marginal returns. There are two main reasons for this:
- You need to have sufficient insight into the normal and healthy traffic patterns of your network to be able to know where to draw your mini-perimeters or VLANs. This boils down to visibility. And with the chaotic array of mixed communication protocols mentioned above, context-aware network visibility is a rarity in healthcare environments.
- Defining network segments and restricting devices to specific VLANs is a laborious process that lends itself to mistakes and is difficult to scale.
Network Access Control tools like Cisco TrustSec and Cisco ISE are designed to solve the second aforementioned problem. With these tools, you no longer need to configure the core components of your security architecture one-by-one, using VLANs. Instead, you can use logical rules to automatically group network segments, define corresponding security policies, and enforce the whole configuration.
Still, the vocabulary that NAC technologies provide with which to define those rules is somewhat limited and may lack the necessary dynamism to prevent things from falling through the cracks in a complex, scaled environment. What's more, you still need to be able to smartly set up those rules, which brings you back to problem 1 above.
In practice, hospital IT teams often cannot even tell how many medical devices are connected to their networks, let alone identify the device type then build out and manage device-specific risk profiles.
To implement a NAC-empowered micro-segmentation system, you need to identify and classify all the connected devices in your hospital, maintain a view of service-aware and purpose-aware traffic flows (to and from assets), establish nuanced normal use baselines, define deviation thresholds, and decide what to let in and what to block.
In other words, even with the ability to define policies based on security groups, it doesn't really help without understanding the network infrastructure and medical device communication protocols enough to properly classify the devices, build security groups, and define smart access rules between them. For this, the standard solution has no answer.
The Anatomy of a Better Solution
The need for more specialized medical network cybersecurity is clear and it's for this reason that CyberMDX was founded. CyberMDX's approach is based on one simple principle: superior visibility.
That superior visibility is delivered by way of a few key differentiators:
- Unparalleled healthcare device communication intelligence — on both the protocol and packet levels.
- Industry leading applications of Machine Learning techniques and Artificial Intelligence technologies.
- Original vulnerability research and zero-day protection.
For any healthcare organization looking to take back control and secure their digital domains, the first step is to prepare an inventory of the connected assets deployed across your hospital. Once all endpoints are mapped, you'll need to process the associated metadata in order to arrange those endpoints according to device types. You'll then profile each device and device type class according to their unique risk dimensions.
At this point, you'll want to sort all your endpoints into security groups. This can be done on the basis of device types, normal network interactions, clinical need, and risk profiles. Using those groups and the noted network baselines for device types, you'll define your security access policies. Network zones can be used to create security groups based on device criticality. Network traffic should be automatically scanned for unusual behavior, default passwords changed, and Wi-Fi connections secured, among other vectors.
In the case of CyberMDX specifically, the MDefend solution leverages deep packet inspection, active scanning, and AI to automatically identify and classify all network medical assets in your deployment. Using its medical communications intelligence engine, MDefend "unlocks" network interactions to reveal their context and purpose. In this way, the system provides further visibility into the traffic flowing between devices, services, and network nodes. Pulling on these observations and the historical data points it's collected, MDefend assigns device-specific and business-wide risk scores so administrators know where best to focus their efforts.
In essence, for healthcare organizations, MDefend provides the brains needed to empower the brawn of your NAC technologies. In practice, this methodology can be distilled into 10 steps:
- Install network monitoring mechanism and map your connected asset inventory
- Apply AI-assisted protocol insights to "unlock" traffic context
- Audit for and redress known vulnerabilities
- Establish baselines for healthy network behavior for each device
- Continuously monitor for statistically significant deviations from those baselines
- Create and build into your security architecture an incident response and escalation protocol
- Define security groupings based on device types, vendors, models, adjacent asset trust relationships, etc.
- Integrate your monitoring, management, and enforcement regimes
- Look for new attack vectors to lock down
- Refine and automate the process
The last two steps in that procedure warrant a bit of expansion.
It's important to look for new attack vectors to lock down because vulnerabilities are not immediately made public upon being discovered. They need to go through the sometimes lengthy process of responsible disclosure. This process can leave healthcare organizations exposed to "in the wild" exploit situations. A complete healthcare cybersecurity solution therefore not only works to mitigate disclosed vulnerabilities, but is constantly on the hunt for zero-day vulnerabilities to protect against.
Similarly, a duly advanced solution will be able to continuously refine and automate its security processes to the point that it not only responds to incidents but prevents them altogether. On an ongoing basis, MDefend monitors your network to ensure good cyber hygiene — making sure that segmentation and governance doesn't degrade over time — and integrates other data streams into its AI to survey the threat landscape and stay ahead of threats.
The Educational Imperative
Responsibility for maintaining cybersecurity needs to be felt throughout the whole organization. It may start with IT, but it extends to everyone. It must not be thought of as something outside of anyone's department.
In the case of a recent vulnerability uncovered by CyberMDX, we first noticed the potential opening to attack after seeing confidential medical device documentation shared online. The documents shared contained sensitive information about the device’s proprietary communication protocol. Luckily, our researchers found this information before a hacker. In the wrong hands though, that information is a loaded gun.
This is worth mentioning because the person who posted the information had no idea of the potential consequences. He was trying to solve an interoperability problem and he turned to the internet in order to collaborate with other healthcare professionals. He requested information from the device manufacturer for normal and legitimate purposes. He received that information discreetly and confidentially and then proceeded to share it — without thinking of or understanding the security implications.
It's unlikely he even noticed those morsels of information that could have heralded his organization’s undoing and he definitely wasn't trying to cause any harm. But that really just points back to the fact that the impact potential of healthcare attack vectors is amplified by poor education and human error.
Most of the places that danger lurks aren't obvious — at least not to non-cyber people. So without a concerted effort to educate people in the basic dos and don'ts (a cybersecurity 101 course as it were), there won't be nearly enough mindfulness to prevent even the most easily preventable problems.
Better education — geared at awareness and best practice training — is a must. Without it, you'll find yourself at a sustained and largely insurmountable disadvantage. Together with smart purpose-specific cybersecurity solutions, organization-wide education is the key to not only surviving disruption but thriving on it.
In Perspective: MedTech Cybersecurity
Modern medicine is a well-oiled machine, its gears and cogs calibrated and refined over thousands years. With the stakes so high, it only makes sense that its gatekeepers are wary of alterations. At the same time, recent years have seen the rapid onset of change in this industry so resistant to it. First there were the sweeping modernization requirements of the ACA, then there was the IoMT explosion, then came CVS-Aetna, then the Amazon-Berkshire Hathaway-JPMorgan health initiative.
If you're waiting for the pace of change to slow so you can regain your footing, you'll likely never get the opportunity. Chances are strong that disruption will characterize the new normal for healthcare. One unfortunate source of that disruption is sure to be cybersecurity — or more accurately, cyber insecurity.
The Internet of Medical Things has brought with it a proliferation in the number and complexities of digitally connected devices and infrastructures serving healthcare organizations. While improving the efficiency of care and opening up new treatment horizons, the connectivity of smart, IP addressable devices also opens them up to remote access — potentially by unintended and ill-intentioned parties
Indeed, due to a variety of circumstantial disadvantages, structural weaknesses, an overabundance of malicious motives, and serious obstacles to remediation, hospitals have become a veritable playground for hackers. To contend with these threats, HDOs need help.
A digital architecture designed around the principles of containment and control is paramount. But without some sort of accompanying deep and wide context-aware visibility assistance, it will be difficult to intelligently and effectively devise the parameters of containment. And without some sort of automation to the process, it will be difficult (bordering on impossible) to scale and maintain such an architecture. Further complicating the picture, even if you succeed in deploying an architecture of the sort described, it will be of little use if you don't have a continuous scanning and detection mechanism in place to inform you of when and how to use your containment and control mechanisms.
It is for precisely these reasons that smart security solutions are required. More specifically, hospitals need security solutions built specifically for the challenges and complexities of their unique IT environments. General security solutions — built broadly for enterprise environments — are fundamentally incapable of delivering the rich contextual awareness needed to survey and secure healthcare networks.
Of course, technology and tooling alone cannot save the day here. At its core, healthcare cybersecurity needs to be treated as an educational imperative. The lack of staff and administrative wherewithal, both in terms of cyber hygiene and asset tracking, gives rise to the conditions for vulnerabilities to fester.
In a work environment characterized by high intensity, high fatigue, and high shift turnover, you can't rely on people always being highly attentive and razor sharp. That's why training is especially important. When it comes to basic cybersecurity, many of the most common lapses occur when people are operating by rote; which means good cyber hygiene practices need to be ingrained in the muscle memory.
The road to comprehensive clinical cybersecurity can be fraught, but if your organization is going to make it to the top of the heap, it'll need to be traversed just the same.