We’ve entered the era of the “digital forevermore”—the open, anonymous, “internet of things” that has become the “internet of everything”—and it wasn’t designed to be secure.
That’s the opinion of Tom Ridge, the first secretary of the U.S. Department of Homeland Security, who warns, “Everything that makes healthcare more efficient, every access point, new device, or algorithm, for every positive there’s a negative: risk and vulnerability.”
His warning is echoed by the Government Accountability Office (GAO), which has stated:
“The interconnectivity between information systems, the internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.”
The enormity of these and other warnings from officials in the U.S. Food and Drug Administration, the Health Information Management Systems Society, and others is overwhelming.
So overwhelming and ominous, in fact, that many administrators, boards of directors, and even information security professionals at healthcare organizations simply don’t believe that they apply to them.
And that is exactly what cyber attackers want you to think.
“Rationalization is such a dangerous and powerful tool for attackers. They know that it brings us comfort, and they rely on it,” says John Gomez, CEO of cybersecurity firm Sensato, “But it’s like an ostrich sticking its head in the sand – just because we refuse to see it doesn’t mean an attacker isn’t coming for us."
”It’s very common," notes Gomez, "for even those in IT security positions at healthcare organizations to believe that cyber attackers are only interested in the largest targets. This belief lulls people into a false sense of security that their healthcare organization is too insignificant to become a target."
Read about the known and potential threats to healthcare information and medical device security.
Just the opposite is what Will Carter, deputy director at the Technology Policy Program for the Center for Strategic and International Studies, expects. According to Carter, cyber operations in North Korea, Russia, or China aren’t likely to attempt an attack on critical infrastructure yet—because they’re still gathering data.
“These organizations are run like Fortune 500 companies in Silicon Valley. They recruit computer science majors at colleges, offering signing bonuses for lucrative careers with full benefits,” says Gomez.
“Career attackers have quarterly targets and get bonuses like a brand-new Ferrari for hitting their quotas. They’re looking for vulnerabilities, and they don’t care if the data comes from a large company or a small one, as long as they meet their quotas."
”Unsurprisingly, healthcare is among the most targeted industries for cyber attackers because of the wealth of data that can be accessed and the likelihood of vulnerabilities that provide openings for attackers. Sensato has found an average of 6.2 vulnerabilities per medical device, with many running on operating systems too old for patches or updates.
It may sound bleak, but there are ways that healthcare organizations can protect against attacks and prepare for a fast response in the event of a breach. Sensato sees it as its mission to help healthcare organizations safeguard lives. So, it built its MD-COP (Medical Device Cybersecurity Operations Program) around the strategies and tactics that it sees as key.
Every healthcare organization should have an incident response plan in place outlining specific and detailed response protocols. The goal of the incident response plan is to survive an attack, sustain operations, and be able to quickly move forward with as little impact to patient care as possible.
Sensato provides an Incident Response Platform Framework that helps address the administrative, operational, and technical aspects of medical device security. This is accomplished by providing a comprehensive set of best practices, a default written policy, and a manufacturer assessment framework.
Like training staff with mass casualty or disaster evacuation drills, every healthcare organization should also train for cyberattack. Testing your incident response plan is just as important as the plan itself, helping staff create a type of “muscle memory” that aids in faster and more efficient response.
Sensato actually runs a Cybersecurity Tactical Training Center or “cyber range” where IT security staff can undergo an intensive five-day program. Beyond learning how to use Sensato’s platform, the cyber range gives staff tabletop simulations of different attack scenarios.
“You can’t know how well you and your staff will perform until you’re actually under attack, and you don’t want the first time to be a real attack,” says Gomez. “We want IT security staff to know in advance how they will respond on their worst day.”
It goes without saying that every “connected” organization should have a solid defense system of firewalls, anti-virus, and other programs to help prevent breaches. But attackers are determined, so it should also go without saying that every organization should be protected with a breach detection system designed to use the attackers’ own tactics and methods against them.
Sensato recommends a honeypot like the Nightingale, designed to detect a breach within a couple days, not a couple hundred days (which is the dismal average). “Taking the attacker’s perspective, we know that the first thing an attacker will do after breaching a system is start scanning it looking for assets,” says Gomez.
“By creating an isolated and monitored server that appears to be a high-value target in your network, you can draw an attacker to it, spot the anomalous activity faster, and even watch the attacker so you can then use their own tactics against them.”
Segmenting systems is one requirement that many organizations find the most difficult and expensive, but it is absolutely necessary to keep an attack from spreading among devices or throughout a network. This is especially true in the healthcare industry, which tends to push medical device technology well beyond manufacturers’ life expectancy and ability to provide security patches or updates.
Segmentation can be tricky, but it’s worthwhile to cut off access points through which an attack could go catastrophically organization-wide, spreading through devices and networks.
When weighing the cost and time commitment to segmentation, Gomez reminds those in charge of IT security to think about the potential for damage: not just the huge cost of replacing highly specialized medical equipment, programs, and devices; not even the inestimable cost of creating a public relations nightmare; but, most importantly, the potential for the true tragedy of impacting patient care or even taking human life.
“In military parlance, we ask our clients to think about their high-value targets,” says Gomez.
“There’s no higher-value target than your patients.”
