You can’t audit and risk assess what you don’t know exists

By Richard Staynings, Chief Security Strategist, Cylera

It probably hasn’t escaped anyone’s attention that critical national infrastructure (CNI) is under increasing levels of targeted cyberattack. This is not limited to the United States but to almost the entire western world as geopolitical and criminal adversaries test cyber defenses and attempt to establish valuable footholds in the networks of these critical pillars of the economy and that which underpins it.

Of these industries, most concerning right after the threat of a nuclear meltdown at a power generator, is likely an attack against healthcare systems. Without available healthcare, each of us faces a precarious and uncertain future in times of urgent medical need.

While healthcare providers have been the target of cyberattack going back decades, most of these network incursions have historically focused upon the theft of protected PII and PHI. This stolen data is then sold or traded on the exchanges of the criminal dark web or used for the targeting of high value individuals for political or commercial espionage purposes.

Today however, with hundreds of millions electronic medical records already exposed, the price for such data has declined substantially. Instead, criminals have changed tactics and are now primarily focused upon the ransom of hospital data and critical IT / IoT systems. Secondary and tertiary extortion attacks will also exfiltrate protected data and threaten to release this if payment is not received. This is often used in addition, or as extra leverage to, the ransom demanded to decrypt data and key hospital systems.

Cyber extortion and ransomware attacks are in essence attacks against the ‘availability’ of healthcare data and providers. These types of incidents are far more dangerous than the ‘breaches of confidentiality’ that we once saw dominate. So far, two patient deaths have been publicly attributed to ransomware attack, one in Alabama, USA, the other in Düsseldorf, Germany, but doctors privately have indicated that the number of victims is probably much, much higher as deaths are reported in different ways.

When healthcare IT and IoT systems like medical devices are held to ransom, so too are the hospitals that critically rely upon technology in today’s highly digital connected environment. Ransomware attacks result in providers having to go ‘on-divert’ for incoming patients while others are evacuated to other facilities. This disaster response approach, although costly and inconvenient works so long as other nearby hospitals remain unimpacted by attack. In some cases, however, a whole region of a country has been attacked, or the health services of the entire nation, and here options for patients decline rapidly, as does life expectancy for those in need that are unable to receive timely medical intervention.

This is why healthcare is a such a heavily regulated industry, however outdated cybersecurity regulations written in the last century still focus upon the protection of privacy and confidentiality, something that is already lost for most patients. Perhaps it’s about time that we reconsidered some of these regulations in light of the actual risks being faced by providers and to the safety of patients. HIPAA and other national regulations share one redeeming requirement in common, that of the need to conduct regular risk assessment and analysis of the protection of medical systems and data.

Without an accurate and up-to-date understanding of risk, prioritization of risk remediation is impossible. But risk analysis cannot take place unless providers have an accurate and up-to-date inventory of digital assets that connect to medical networks.

In contrast to the time when many of these regulations were enacted, today’s hospital is rife with connected but largely unmanaged IoT devices. In hospitals that includes everything from medical diagnosis systems including X-Ray and CT, to patient telemetry and management systems to check blood pressure, O2 saturation, and pulse, to treatment systems that radiate cancers or dispense medication to a patient via an infusion pump. It also includes a growing number of automation systems for drug selection and dispersal, laboratories, and surgical robotic systems. Nearly all of these systems connect to the medical network and are not usually managed by hospital IT where otherwise they may receive security patches and updates alongside hospital owned workstations and laptops.

The same is true for hospital building management systems that control elevators and HVAC, both critical for hospital workflow, or the hundreds of CCTV cameras and proximity door locks that control physical access to parts of a facility. Many of these ‘connected systems’ go their whole lives without being updated or patched, despite published vulnerabilities.

While healthcare processes and regulations are slowly changing, this is not impacting the overall unassessed risk of healthcare IoT. Easily hacked, many of these IoT connected systems pose a significant and growing risk to healthcare providers. But given the enormous numbers of these devices often in the tens or hundreds of thousands across a health system, manual assessment is near impossible. For this reason, hospital leaders need to look at AI enabled automation, not just for asset identification and profiling, but also for risk assessment and remediation. Given a lack of timely security updates from manufacturers, or difficulty scheduling a maintenance window for systems in use 24 by 7, risk remediation will usually involve the implementation of compensating security controls. These can quickly be put in place to safely allow the continued operation of devices that on one side connect to the medical network and on the other side often directly to the patient.

Network segmentation of medical networks just like the detection of anomalous network activity for medical devices, was until recently a herculean task for hospital leaders. However today, thanks to high-fidelity communication profiling and AI based ‘datatype analysis’ of connected endpoints, network and security tools that are already owned but often remain unused, can be quickly enabled to provide orchestration of vastly improved security.

Given a widespread lack of available security resources to adequately manage IT and patient safety risks, we need to look more closely at automation and in particular the capabilities that machine learning and other forms of AI provide if we are to keep our care providers and patients safe against a rising tide of cybersecurity threats and risks.

About the Author:

Richard Staynings is a globally renowned thought leader, author, and public speaker. A thirty-year veteran of healthcare cybersecurity, he has served on various industry working groups and as a subject matter expert on government Committees of Inquiry into some of the highest profile healthcare breaches.

Richard is currently Chief Security Strategist for Cylera, a pioneer in the space of medical device security. In addition, he teaches postgraduate courses in cybersecurity, and health informatics at the University of Denver, and is a retained advisor to a number of friendly governments and private companies.




Hot Topics

Related Articles