It seems that every day we hear about the need for more and better medical cybersecurity measures, but why? We don’t hear about the need for retailers to improve shoplifting prevention mechanisms. So why medicine? Why aren’t built-in security tools, technologies, and techniques adequately protecting hospitals?
To answer that question as succinctly as possible, it should suffice to say that while medicine is not a new field, the way it's practiced has changed dramatically in recent years and continues to change at a rapid pace. This introduces new threats.
Of course, there's a lot more to it — and as with most things — the devil is in the details. Let me explain.
Connectivity Drives Better Outcomes But Opens Door to Malicious Actors
Probably the most significant way in which healthcare has changed over the last decade is in the proliferation of network connected medical devices and clinical assets. But it's not just about how many endpoints there are in a typical healthcare IT computing network, it's about how profoundly dependent we've become on those endpoints. Remove networked equipment from the equation and most hospitals simply would not be able to function.
Globally, BI Intelligence estimates that there are around 400 million connected medical devices in deployment, with a further 125 million devices expected to be installed in 2019. These devices range from diagnostic equipment, such as MRI and CT scanners, to therapeutic equipment, such as patient monitors, and life support equipment, such as infusion pumps and defibrillators.
At one time perhaps we’d pay these devices little attention, but eye-catching headlines like Hacking risk leads to recall of 500,000 pacemakers due to patient death fears, or Your private medical data is for sale have changed that. Even more disconcerting, the tools and techniques available to cyber criminals are always evolving, becoming more sophisticated and harder to stop.
While it would be nice from a security perspective to put "Jack back in the box" and de-network our medical devices, it’s simply not going to happen. Greater connectivity brings greater process awareness and integration, which brings greater speed and efficiency. Network connectivity also means more and more granular data points from which meaningful real-time insights can be derived — leading to a better quality of care. Smart connected devices also enable programmable, automate-able, and remote care — opening new treatment frontiers, improving patient comfort, reducing operational frictions, and alleviating capacity strains at medical centers.
For these reasons and others, digitally connected medical devices are here to stay. At the same time, they make the administration of care and the processing of patient data much much less secure. And although there are things that can be done to help shore up the security gaps in a medical facility's digital operations, most hospitals just aren't taking the necessary steps.
For example, hospitals in the UK roundly failed cybersecurity tests designed to find out if they had learned lessons from the crippling WannaCry attack. A recent survey found last year's global average cost of cyber crime for healthcare providers to be around $12 million. That's just the average. Those organizations hit hard by hackers got it a lot worse. Even scarier, that figure represents an increase of 27.4% over the previous year! That's an objectively terrible trajectory. And the situation is likely to get much worse before it gets any better.
New Normals, Supply Side Complexities & Infrastructural Vulnerabilities
Electronic Health Records are rapidly becoming the norm
Modernization efforts and legislative encouragement mean that vast troves of data previously filed away and stored under lock and key in the bowels of hospital warehouses are now being digitized. This makes them potentially a lot more accessible to bad actors. While voluminous paper records are difficult to steal, flimsy or altogether absent medical cybersecurity measures mean millions of digital documents can be moved with speed and ease.
In United States, where the Affordable Care Act came into effect in stages, beginning in 2010, EHRs not only offer bad actors a more accessible route to data theft, but are required to hold much more information than was previously standard. That new information contains ever more value, which means greater motive to undermine the security apparatus protecting it.
Old equipment can’t keep pace with modern threats
The WannaCry attack famously exploited a problem in a 30-year-old software protocol and specialist equipment. That's an extreme example, but it illustrates a very important point. It is totally normal for administrators to coax decades of service out of their heavier and more costly machinery.
MRIs, for example, have an average service life spanning more than 11 years; and that average is growing. To put that into technological context, 11 years ago, myspace was still an internet mainstay and Facebook was still a scrappy startup trying to challenge its dominance. Even with regular attention, devices developed in radically different cyber epochs just aren't suited to keeping modern threats at bay.
Think for a moment about how retailers use anti-shoplifting measures to prevent theft. They use security tags, RF tags, and EAS gateways. But for hospitals, the equivalent physical solutions would all need to be built into the devices1 or added by the manufacturer. Since the cyber threats being faced by healthcare operations are relatively new and always changing, it’s simply not possible to have up-to-date built-in or retrofitted defenses in place across the board. So no matter how strict pre-market regulatory oversight is, once the devices are deployed in a hospital, the threats continue to evolve.
It’d be like a retailer clipping security tags on some clothes and not others, sticking RF tags on only a smattering of items, and installing EAS gateways at only some doors. It would be extremely easy for criminals to ravage such an operation. That’s pretty much the situation for hospitals. Unlike the retail example though, even devices with robust security built-in are left exposed by virtue (vice?) of the overall vulnerability of the network through its other endpoints.
Networks are the hospital’s central nervous system
Devices are networked to allow for information sharing and central administration, which means the network is one of the hospital’s main vulnerabilities. The risks can be reduced by using LANs and VLANs to divide the network into isolated and purpose-specific traffic streams, while restricting access (on a user or terminal basis) to sensitive parts of the network. But this segmentation is applied manually or by fixed rules — neither of which cater easily to complex and ongoing changes.
Of course, the other major factor is that hospitals represent a particularly attractive target for cyber criminals. More than other industries, the motives underlying attacks in healthcare are many and fast changing. Let me explain.
There Is No Shortage of Motives for Attacking a Hospital
Accessing patient records provides criminals with several opportunities for financial gain
With care grinding to a halt in lieu of supporting technology, hospitals whose equipment is held for ransom often feel they have little choice but to pay. Hancock Regional Hospital, for example, paid a $55k ransom in the midst of a flu epidemic to get their systems back online quickly. But that payout does not exist in a vacuum and it contributes to the incentive driving those same or other criminals to return for more.
Say you have a backup fleet of medical devices and clinical assets waiting in the wings for just such an event, you're still not safe. Hackers may up the ante and try to restore their leverage by threatening to publicly release patient medical records. This wouldn't just be a PR nightmare, but it would be a severe violation of the trust that patients invested in you; it would invite costly lawsuits, you'd be hit with myriad regulatory fees and penalties, and your reputation would probably never recover.
The phrase "downward spiral" comes to mind. In fact, data loss could result in patients having their identity stolen or money taken from their accounts. One survey found that some 7% of patients would likely change providers after a data breach.
It's with these thoughts in mind that decision makers so often bite the bullet and pay their extortors. What's worse, the threats and associated price tags can increase if criminal gangs (rather than rogue individuals) are involved.
Cyber terrorism is among the most effective weapons in a rogue nation’s armory
State-sponsored cyber attacks such as those against Singapore’s largest health care institution, SingHealth, and attacks on several US utilities are becoming more common. The WannaCry ransomware attack that wreaked havoc on the National Health Service was traced to the North Korean-sponsored Lazarus Group, leading the UK National Cyber Crime Unit to charge one of the group members.
Attacks like these are increasingly favored by hostile states for several reasons:
- The technological means of attack are sophisticated enough that their origins are comparatively easy to obscure. And even when the perpetrators are caught leaving a forensic trail, since the cyber equivalent of the "smoking gun" usually requires a technical and somewhat convoluted explanation, it's unintelligible to most people. Rogue states will seize on this esotericism to portray the matter as ambiguous. Making it easy for the responsible part to deny involvement even when there's evidence.
- Such attacks exploit relatively soft targets, have large impact radii, and — unlike a first strike in a conventional conflict — don't immediately invite retaliation.
- The sense of panic that would spread from incapacitated national health services can terrorize the population and easily shake confidence in government and public institutions.
- Whereas you can easily monitor troop movements, military spending, etcetera, there are no such readily appreciable precursors to attack in the cyber realm. When an attack takes place, therefor, a universalized apprehension can begin to take hold. Without any idea of where and when the next attack will occur, you can be excused for beginning to fear your own shadow.
What’s more, medical implants and infusion pumps can be selectively interfered with, putting the patient at risk. It may sound like a Bond movie plot, but this can be exploited by political or business interests to carry out targeted assassinations or even just to manipulate markets. If you think this sounds ridiculous, consider whether it’s more or less believable than 2 Russian operatives traveling to the UK to assassinate a Soviet-era double agent and his daughter using a nerve agent in a public park, in broad daylight.
Cyber sabotage conceived and carried out in social protest is growing in popularity
Hacktivism has been successfully used against businesses and governments for years. Michigan’s state website was shut down as a protest against lead entering the city of Flint’s water supply, as were North Carolina government websites in protest against LGBT law changes.
Hospitals aren’t immune. An activist was convicted for hacking The Boston Children’s Hospital in 2014 to raise awareness of a case involving a teenager who was taken into custody following a dispute with the hospital. Hurley Medical Center was attacked in 2016 — also as collateral damage in the Flint water crisis. The effects of the attack on Hurley Medical Center were limited because of efficient business continuity planning, but other organizations haven’t been as lucky.
The risk of such attacks is only increasing as hacking tools becoming cheaper and easier to buy as well as to use.
Moving Forward With Caution: Smart Medical Cybersecurity Measures
A hospital network has many access points, so a well-thought-out and layered defense architecture that reduces the attack surface is essential.
Whereas medical cybersecurity measures that alter the device's hardware or software are restricted to manufacturers and highly limited, defenses built for the environments in which the devices reside and through which they must run are much more manageable. Such solutions work on several layers —
- First identifying all connected devices and auditing the network and its endpoints for known vulnerabilities and exploitable security gaps
- Then distilling that audit into a remediation directive for the relevant administrator
- Then mapping all network connections and grouping operationally-related devices and workflows together
- Then restricting intra-network communications to a number of self-contained, well-defined, and purpose-specific channels (VLANs)
- Then establishing baselines and deviation thresholds for normal/legitimate channel behaviors
- Setting up alerts and controls to kick into effect whenever said thresholds are exceeded
- Making use of all available network insights at the most granular levels via automated micro-segmentation and anomalous traffic isolation
- Finally, there's the ongoing risk monitoring and assessment
It’s important that the efficacy of any such solutions be somehow measurable. Any solution worth its salt will be able to do 3 basic things — map and understand the interactions and endpoints within your network, rapidly detect suspicious network behavior and security gaps, and prevent attacks before they ever get off the ground.
Since prevention is not really measurable (you cannot count how many events didn't happen), it's better to focus on mapping and detection. Between these two functions, there's one common and very critical factor that determines their effectiveness. Visibility. It all starts with visibility. A good barometer by which to measure a prospective solution is how much new visibility it adds to your networked devices.
Answering these 8 questions should provide a good starting point for assessing a solution:
- Can it tell you how many devices are deployed?
- Can it tell you the device’s type?
- Can it tell you the device’s manufacturer?
- Can it tell you the device’s model?
- Can it tell you the device’s MAC address and serial number?
- Can it tell you what operating system the device is running?
- Can it give you a context-aware risk level for each device?
- Can it relate newly discovered vulnerabilities to the affected devices in your deployment?
A good solution will score the risk of a successful attack on each device and allow you to drill down into the scoring parameters. The more detailed the information recorded for each medical device, the easier it will be to monitor vulnerabilities and identify when changes, such as software patches, are needed.
Of course, other best practices such as data encryption, role-based authentication, and staff training also have an important role.
From the changes to how healthcare is delivered and managed, to the regulatory and supply chain complexities, to the knock on effect that a vulnerability over here has on a networked device over there, to the incentives motivating bad actors — it's fair to say that the security challenges besieging healthcare are quickly evolving. As such, it only makes sense that the medical cybersecurity measures employed to protect hospitals and their patients evolve at an equal or faster pace.
The fact is that criminals have a lot to gain from a successful attack, and their persistence in light of fundamentally degenerative hospital infrastructure, means the risk of attack will only increase. The threat to patient safety, reputation damages, and fallout costs — data breaches costs the U.S. healthcare industry $6 billion a year — means hospitals need to do a better job defending their assets.
- Medical devices cannot be reconfigured or retrofitted without voiding FDA certification, introducing a slew of liability hazards, and violating applicable laws.