Cybersecurity

THE RISK IS REAL

Hackers are eyeing your organization. Are you ready for a worst-case scenario?

Pre-dawn in the critical care unit at a metropolitan hospital. Shift change is still an hour away, and the overnight staff — at a bare-bones level these days — is doing paperwork after a quiet evening. Suddenly, a shrill alarm pierces the silence.

cybersecurity-2.jpg

Story by Samuel Greengard

It's no secret that today's connected information technology systems and medical devices are changing health care in radical ways. On one hand, they are driving significant improvements in the quality of care while bringing enormous productivity gains and cost savings. On the other hand, managing the growing tangle of systems and devices increases security risks, sometimes exponentially. Data, devices and systems are increasingly in the crosshairs for hackers, attackers and cyberthieves. “It's an extremely unsettling environment,” says Gene Thomas, vice president and chief information officer at Memorial Hospital and Physicians Clinics in Gulfport, Mississippi.

INTERNET OF THINGS

A concept describing the growing connection of everyday devices to the internet and/or to each other — everything from cellphones to washing machines. In health care, that can include drug infusion pumps, vital-sign monitors, bed occupancy sensors and more. Frequently abbreviated as “IoT.”

Like many executives charged with protecting systems and data, Thomas is increasingly anxious about the state of cybersecurity. “The risk is pervasive and it is growing,” he says. What's more, “Health care is fundamentally different than other sectors. It's not just about stealing an identity or money. The potential exists to hurt innocent people, or worse, by attacking systems and tampering with devices.”

Memorial, a 412-bed facility with more than 90 clinics, is increasingly vigilant about how it designs systems and networks, which vendors it selects, how it procures medical devices, and many other factors that revolve around cybersecurity.

Thomas is not alone. As the internet matures and the “internet of things” takes shape, there's a growing recognition health care providers must take cybersecurity to an entirely new level without crippling the ability of medical practitioners to do their jobs.

But many systems and connected medical devices don't measure up to essential security standards. In recent years, researchers already have discovered vulnerabilities in drug infusion pumps, ventilators, X-ray machines and MRI systems, to name a few.

“Health care providers are trying to play catch-up,” says Paul Hill, a senior consultant at Massachusetts-based cybersecurity firm SystemExperts Corp. “But many are falling further behind.”

cybersecurity-3.jpg

Risky Business

HEALTH CARE IS THE MOST ATTACKED INDUSTRY

According to cybersecurity firm ZingBox, 90 percent of hospitals were victims of cyberattacks in 2014 and 2015, leading to $6 billion in annual costs. Unprotected medical devices are the top vulnerability.

Connected medical devices allow health care organizations to gather data about patients, monitor their conditions, and track the location of medical devices as well as how they’re used in hospitals. According to a July 2017 study conducted by cybersecurity firm ZingBox, connected devices now reside on 90 percent of health care networks.

Gene Thomas

Gene Thomas, chief information officer at Memorial Hospital at Gulfport, says gaining the support of the C-suite and board helps ensure funding for data security and sets a tone for the organization. | Memorial Hospital at Gulfport

However, 70 percent of health care providers mistakenly believe that traditional security methods are sufficient for managing the task. “The reality is that there are enormous risks and too many organizations are stuck in a patch-and-pray mentality,” says Sean Smith, director of the Institute for Security Technology and Society at Dartmouth College.

A 2015 paper Smith co-authored, Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, found gaping holes in authentication methods, deauthentication procedures, permission management and more.

“In the ‘IoT’ world, it's not inconceivable that someone could gain access to systems or devices and remotely change data or parameters, or drain battery life, to wreak havoc on patients,” he says. No less frightening: Cybercriminals who control a connected system could hold data — or actual patients — for ransom.

The FBI says a typical ransom ranges between $200 and $10,000. However, over the last few years, several hospitals have been attacked by ransomware — malicious software designed to block access to a computer system until a sum of money is paid. That includes a Southern California facility that forked over about $17,000 to unlock its systems and files.

cybersecurity-4.jpg

More than Money

Listen To:

Byron C. Scott, MD, deputy chief health officer for Simpler Consulting, part of IBM Watson Health, asserts the top organizational goal has to be protecting patient information.

Other IoT risks are downright chilling. In 2015, researchers at the University of Washington hacked into public communication systems that control teleoperated robots. They could make a robot perform in a jerky and difficult-to-control way — and even shut it down by overloading it with input. In 2013, a cybersecurity expert remotely hacked into an infusion pump and proved he could remotely administer a lethal dose of drugs through the device. Others have breached pacemakers, blood refrigeration units, CT scanners and X-ray machines.

Meanwhile, the U.S. Food and Drug Administration has issued a warning and guidance document for pre-market connected medical devices. And in 2015, the FBI also issued a warning for medical devices and wearables.

“Device developers are rushing into the market with the internet of things,” warns SystemExperts’ Hill. “There is a lot more emphasis on producing a product than making sure it's secure. In many cases, they are simply embedding a version of Linux [a widely used, community-developed computer operating system] or another operating system into the device and then building features on top of it. There is little or no review of the security architecture during the design and development phases. In addition, many companies aren't performing penetration tests and conducting internet exposure profile tests before releasing the product.”

A 2016 report from market research company Forrester, Healthcare’s IoT Dilemma: Connected Medical Devices, notes that the health care sector suffered more data breaches in 2015 than any other industry. Overall, more than 100 million people were affected in the United States alone. The problem? Health care companies spend only about 15 percent of their total IT budgets on security, trailing every other industry.

The report says connected medical devices are subject to four key attack scenarios:

Paul Hill

Cybersecurity consultant Paul Hill says some manufacturers of new medical devices are rushing into the market, putting more emphasis on production than security. | Photo from Paul Hill / SystemExperts Corp.

Denial of service: Interrupting authorized users’ access to a computer network, usually followed by a demand for a ransom payment to cease.

Patient data theft: Using malware or exploiting a system weakness to gain access to an electronic health record and steal personal information.

Therapy manipulation: Illicitly adjusting a patient’s treatment via unauthorized access to a connected medical device.

Asset destruction: Intentionally destroying or damaging a medical device.

Analyst Chris Sherman points out that physicians and other health care professionals tend to “prioritize timely care over security.” In fact, 46 percent circumvent their organization’s security policies in pursuit of greater efficiency, while 29 percent say security policies are too strict or unreasonable.

“Most medical professionals and executives aren't even aware that weaknesses and vulnerabilities exist,” says James Fine, MD, chief information officer at the University of Washington Medical Center. “They don't think of the equipment they use as network devices, and they don't recognize that they could lead to a breach.”

UW Medical Center learned this lesson firsthand several years ago. When a security executive at the medical center visited the facility as a patient, he raised questions about an IV pump. Chief technology officer David Chou, MD, began probing the system and quickly discovered a gaping vulnerability. “We insisted that the vendor repair it, but obviously, how we discovered it was somewhat of a fluke.”

cybersecurity-5.jpg

Rx for Security Success

Developing an IoT security strategy and putting effective security measures in place is no simple task. Yet analysts say it is possible to build a safer and more-secure IT and business framework within health care facilities.

WHAT IS TWO-FACTOR AUTHENTICATION?

An extra layer of security, requiring not only a username and a password but also something (information or a physical item) else that only the individual user knows or has on hand.

Listen To:

Joseph Kim, MD, EHR expert and president of Q Synthesis, a health care education and quality improvement company, says medium-sized and small hospitals are struggling the most with data security.

“Start with the concept that a multilayered security approach is essential and that it must span many different touchpoints,” explains Steve McGee, senior project consultant at SystemExperts. “It's also important to think very differently about cybersecurity than in the past. A more flexible and nuanced approach is necessary.” Traditional security practices remain an important part of the picture. These include such things as authentication (including two-factor authentication), access controls, encryption, malware detection and much more. But those alone aren't enough. Interconnected devices mean more opportunities for attacks and introduce the specter of new types of assaults that can compromise an enterprise.

Health care facilities must identify all systems and devices they use as well as purchase requirements, says Dan Bowden, vice president and chief information security officer at Sentara Healthcare, a Virginia-based not-for-profit system with 12 hospitals, nearly 28,000 employees, more than 300 sites of care, four medical groups, and a health plan that serves 450,000 members.

“You must have an accurate inventory of devices, including the manufacturer along with the make and model. You must understand how these devices are configured, what operating systems they run on and how patches and firmware upgrades take place,” he notes. What's more, once a facility has an inventory in hand, “it's critical to map the potential threats against the assets. You can then create robust controls for the devices.”

cybersecurity-6.jpg

Other Considerations

Procurement processes also must reflect organizational security, explains Scott Richert, vice president of technology services at Mercy, which operates 32 acute-care hospitals, 11 specialty hospitals and more than 700 physician practices and outpatient facilities in Missouri, Kansas, Oklahoma and Arkansas. It also has documented its systems, networks and devices. At Mercy, this led to an extensive vendor survey that includes upwards of 100 questions. These include issues such as: What's your patching cadence? What's your authentication method? What's your encryption method?

Sean Smith

Sean Smith, director of the Institute for Security Technology and Society at Dartmouth College, has found that too many health care organizations are stuck in a “patch-and-pray mentality,” | Dartmouth College

“We do as much as possible to validate the responses and make sure they are correct,” he says. Richert also focuses on both internal systems and how devices tap network resources. “It's important to watch ‘east-west’ traffic flows, understand how devices talk to one another and either isolate or drive out devices and platforms that aren't being supported or patched,” he explains. Yet the task of managing devices and data doesn't stop there. “You have to know what data is going back to the vendor or to third parties.”

Listen To:

Michael Bakerman, MD, CMO at St. Elizabeth’s Medical Center in Massachusetts and a former chief medical information officer at Massachusetts Memorial Health Care, discusses the vulnerability of health systems.

When he encounters a device or platform that is critical for the organization but lacks essential built-in security, “we look for ways to isolate the technology or we use tools to spot anomalies,” he adds. Among other things, Bowden says that he watches for signs of spoofing (falsifying credentials or other data) or attempts to place fraudulent authorizations or certificates.

Analytics and artificial intelligence tools are beginning to make a mark, Hill says. Although many organizations already track login locations and machine IDs, a new generation of tools can provide deep insights into unusual device and data behavior.

AI tools can be used to analyze login monitoring but also to watch data as it flows across networks. “They can identify suspicious patterns and provide an alert or shut down a network port,” he notes. However, this approach isn't a substitute for human supervision. “You really have to understand what is and what isn't valid traffic. Otherwise, you can wind up putting lives at risk by crippling devices and choking off data. You don't want a system shutting down or unavailable at a critical moment,” he warns.

Hill also recommends taking a close look at networks, including Wi-Fi. Although most facilities already operate separate networks for internal use and guests, a more granular approach might be better. “It's important to segregate data and have essential access controls in place,” Hill says. Unfortunately, he notes, many current IoT devices lack support for key network-access control protocols. Consequently, “You may need to add technology and processes to assist with the task.”

cybersecurity-7.jpg

A Healthy Approach

A multilayered security program also extends beyond technology and processes. Education and training are also important pieces of the puzzle. Helping medical practitioners and staff spot suspicious links in emails also is paramount.

Scott Richert

Scott Richert, vice president of technology services for the Mercy health system, says his organization sends an extensive security survey to vendors, then validates responses to ensure they are correct. | Mercy

Working with the C-suite and board of directors — and ultimately gaining their support — also is essential, says Memorial Hospital’s Thomas. This helps ensure adequate funding, but it also sets a tone for the entire organization. However, “You must frame things in a way that makes sense for them. You must answer their questions and make everything relevant.” Adds Bowden: “It's important to keep the message simple and direct, largely revolving around assets, threats and recommendations.”

In the end, Hill says, health care security executives must think about risks and protections in a more holistic and broad way. As consumer wearables, remote monitoring and new IoT sensors and devices enter the picture, there will be a greater need to monitor activity — and also establish a governance and control framework that addresses devices, perhaps in a way similar to today's mobile device management solutions.

“The internet of things and connected medical devices offer many advantages. They will create productivity gains and improve the quality of care,” Hill says. “But they also introduce many risks. They must be actively and carefully managed.”

 

THE AUTHOR:

Samuel Greengard is a business and technology journalist based in Oregon. He is the author of The Internet of Things (MIT Press, 2015), which explores the benefits and risks of the connected world.

-------

AUDIO INTERVIEWS: Rick Mayer and Lesley Valentin

cybersecurity-8.jpg

Eight Ways to Reduce Your Risk

  • Adopt a multilayered approach to cybersecurity. Traditional security methods haven't gone away. But today, there are no limits to your risk. Accordingly, put multiple technologies and detection methods in place: encryption, authentication, access controls, endpoint security, malware detection and more.
  • Identify and inventory all connected devices. Many organizations can't identify all the connected devices they are using. Things are further complicated by “shadow IT” (undocumented systems solutions) and rogue devices, many of which run old operating systems or insecure firmware. This greatly increases organizational risk.
  • Establish a patch management and firmware update policy. It's critical to ensure that devices and software are running the latest firmware and software. It's no simple task, and it's complicated by FDA regulations and requirements, but an inability to address vulnerabilities on a timely basis can prove fatal.
  • Monitor data in motion. The whole point of having connected medical devices and other IoT devices is the ability to generate and exchange valuable data. However, it's important to know that data is arriving at the intended destination—and no other. Watch sensitive data as it moves across devices, systems and networks.
  • Consider separate networks and “air-gapped” networks. Most providers already have production and public Wi-Fi networks in place. But it could be necessary to have closed networks for IoT devices. In some cases, consider isolating some networks as well.
  • Provide education and training. Many breaches occur because employees are duped into clicking links that download malware. Education and training about how to spot bad links — as well as technology that identifies dangerous URLs — can greatly reduce risk.
  • Identify key controls. Understanding which devices should be talking to other devices or systems — and knowing what they shouldn't be communicating — is paramount. Mapping a system is critical. Wi-Fi networks also require anti-spoofing methods, valid certificates and strict device authentication protocols.
  • Create a vendor checklist. Before procuring any medical devices, make sure a vendor meets organizational requirements. Organizations can use ISO 27002 controls (a standardized set of information security industry guidelines) as a starting point. However, it's wise to customize the list to meet specific requirements.
 

Latest News 

More Articles From The Physician Leadership News

Summit Panel: Using Genome Analysis to ID Population Health Risks

A Nevada study uses DNA, environmental and individual health data to create a regionwide map to improve patient outcomes. It’s a panel topic at AAPL’s spring gathering in Boston. The Health Nevada

What Older Managers Can Learn from Millennial Workers

For all the talk about how 20-somethings desire and need learning experiences, the opposite is also true. There’s plenty to learn from them — and from how they learn. Younger generations are quickly

The Power of ‘No’: Why Physician Leaders Should Set Boundaries

To avoid symptoms of burnout, they also should encourage the people they lead to do the same thing. Physician leaders often shoulder the responsibility of pushing their teams forward, delegating

hero-doctor-stethascope.jpg

American Association for Physician Leadership®

Your trusted source for physician leadership and education for over 40 years.

Contact Us
Learn More