Code red: Health IT must fix its security crisis
With a diverse array of digital systems, hospitals have evolved into complex technology operations. Yet they remain singularly ill-prepared to defend against attacks, in part because the multiplicity of systems forms a wider surface area to attack.
Spurred by massive breaches at health care giants -- and security research that has uncovered vulnerabilities in medical devices from insulin pumps to pacemakers -- the focus has shifted from data security alone to protecting a range of medical technology. Attackers can cause chaos and damage as they romp through hospital networks, which have their own special varieties of vulnerable endpoints.
The ransomware attacks that crippled Hollywood Presbyterian Medical Center in Los Angeles and Methodist Hospital in Henderson, Kentucky, weren't about pilfering confidential patient records. The intent was to bring these hospitals to a standstill -- which is exactly what happened. Medical staff couldn't access patient records, share surgery directives, or otherwise communicate with each other. Poor endpoint security and weak network protections made such successful attacks almost inevitable.
Health care is intensely personal, both in patient disorders and their treatments, as well as in the interactions between patients and doctors, caregivers, and support staff -- most of which are documented and stored digitally.
But modern health care is also extremely technical. Specialized systems care for patients without moving them, robots perform actual surgery, and doctors rely on sophisticated equipment such as ECG, ultrasound, X-ray, CT, and MRI machines. These machines are computers, complete with operating systems, software applications, and network connectivity.
No one needs to launch a Stuxnet-like attack against a health care facility to disrupt medical care. A network worm can be equally as devastating.
Consider Conficker, the fast-spreading Windows worm that is believed to have infected more than 11 million machines since 2008 and is still successfully infecting unpatched Windows systems. Researchers in 2009 found that Conficker had infected more than 300 hospital devices, including MRI systems, across a dozen hospitals in the United States. Conficker also shut down an entire sleep lab in a New Jersey hospital in 2010, requiring all patients to be rescheduled and costing the hospital about $40,000 to recover from the infection.
Hospitals have found malware infections on medical equipment such as imaging devices, eye exam scanners, and electrocardiograph stress analyzers.
Even with the diversity of equipment and installed applications, health care IT has the same requirements as traditional IT to close off potential avenues of attack, says Dave Palmer, a retired member of British Intelligence agencies MI5 and GCHQ and current Director of Technology at cyberintelligence firm, Darktrace. Don’t forget that these organizations also have traditional enterprise systems to access payroll and accounting, communicate between departments, and support file-sharing and collaboration, as well as the challenges of employees and patients bringing personal devices into the facility.
“The typical health care facility is a complex IT environment,” Palmer says.
Denial-of-service attacks can be as disruptive to health care facilities as they are to any other organization. In 2014, a DDoS attack against Boston Children's Hospital made some online services, such as patient appointment scheduling, sporadically inaccessible. The circumstances around that attack were unusual because it was a protest involving a controversial custody case, but experts say DDoS attacks accompanied by ransom demands are on the rise. Attackers flood the networks, then promise to stop if the organization pays them to go away.
Consider endpoint security in health care organizations. Keeping these endpoints up to date with the latest versions of operating systems, browsers, plugins, and installed applications is not a simple task. Some applications may rely on Flash or Java, which are commonly targeted by malicious adversaries.
A recent analysis by authentication provider Duo Security found that twice as many health care endpoints have Flash installed and three times as many have Java, compared to endpoints in non-health-care organizations.
The common recommendation -- to uninstall Flash and Java from client machines -- doesn’t take into account the fact that many custom applications within the sector require Flash or Java. Many popular electronic health care record (EHR) systems and identity access and management software supporting e-prescriptions require Java, for example.
A different analysis by Forcepoint found that health care organizations are 376 percent more likely to see Dropper (malware that backdoors compromised machines for further attacks) than non-health-care organizations.
Duo’s analysis also found that nearly half of health care providers use Internet Explorer 11 or older, exposing those systems to various attacks. Health care organizations are also more likely than other industry sectors to still have Windows XP systems. The presence of outdated software partly explains why health care organizations are more likely to see certain types of attacks.
“This type of landscape can cause the perfect cybersecurity storm,” says Grayson Milbourne, security intelligence director at Webroot.
Basic IT practices, such as asset inventory, patch and configuration management, and network security are critical in this kind of heterogeneous environment. A complete inventory lets IT know which systems actually run those applications so that IT can uninstall Flash and Java (and unused instances of custom applications) on the remaining systems.
Regularly patching and updating Flash, Java, the Web browser, operating system, and other applications ensures these security holes can’t be targeted by Web-based attacks. Many exploit kits target zero-day vulnerabilities in Flash and Java, so IT needs to evaluate which systems really require Internet access. Uninstalling the Web browser on machines that still need to be networked can reduce the possibility of infection via a Web-based attack. There is no good reason to have a Web browser installed on a machine monitoring fetal heartbeat, for example.
Most devices in a medical environment are networked. Potentially thousands of devices proliferate in a large hospital, each type with different networking needs. While some specialized systems don't need to be on the Internet, many require network access to tap into patient health records, look up drug interactions, or send specific data to appropriate care providers.
But there’s no point to have workstations at nursing stations handle patient records on the same network as the workstations in accounting and payroll, nor should both databases run on the same server. Hospitals need to make it harder for attackers who have compromised a server to locate and access other valuable servers.
Segmenting the network to isolate more vulnerable machines means that even if the attackers successfully compromise them, they are limited in how far they can spread across the network. But that's only the first step.
The next step is privilege management and restricting access to files and systems. Not everyone needs access to all files on the fileserver. Doctors shouldn’t be able to get to the administrator console of the MRI machine. There shouldn't be a way to see a piece of radiology equipment, let alone access the console screen, from an HR workstation. If the doctor has administrator rights, then you can bet malware will be able to get those privileges, too.
Network-connected medical devices must be secured so that an attacker on one side can’t jump to other networks or be able to use as a point of entry from outside. The number of devices -- easily in the tens of thousands in a large hospital -- means paying extra attention to physically securing the devices. It’s unlikely someone can stroll out the door with a CT scanner or an ultrasound machine, but it is easy to steal a laptop and use the remote software to access the network remotely.
Administrators must enable two-factor authentication where possible and make sure employees follow basic password policies -- such as preventing users from sharing passwords across applications or systems.
Health care organizations run a number of specialized, often customized applications. They are also increasingly adopting web, mobile, and cloud-based applications. Imperva’s annual report found that health care applications are likely to suffer 10 times more cross-site scripting attacks than applications in other industries.
Nearly 80 percent of health-care-related applications contain easily avoidable cryptographic issues such as weak algorithms, says Chris Wysopal, CTO and CISO of application security company Veracode. Whether it’s a SQL injection flaw in the web application or an issue in how the application encrypts data, the consequences are equally serious.
Basic application security rules apply here. In-house applications should be tested for vulnerabilities, and many organizations are increasingly spending more on external security assessments and inserting liability clauses into contracts with software vendors, according to a recent HIMSS/Veracode survey. The reason behind these assessments is not due to increased security awareness, but because of liability fears. Regardless, it’s still a good step forward.
“Remedying the problem starts with a good look at how health-care-related software is built and making sure that security is a priority,” Wysopal says.
Part of the security crisis in health care security is cultural. As long as the efforts of IT and security personnel are seen as less significant than that of medical professionals, conflict will ensue.
Security awareness is necessary -- but it must be balanced against the fact that much of the staff has demanding schedules and may be inclined to skip training.
Health care’s rigid focus on compliance, especially the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is part of the problem. While maintaining patient privacy is important, the hyperfocus on maintaining compliance opens gaps in network and endpoint security. Recent attacks show that HIPAA compliance doesn’t mean much if employees are susceptible to social engineering and hand over their login credentials, as happened with the Blue Shield breach -- or if laptops containing employee records aren’t encrypted and get lost, or if computers running outdated software are vulnerable to web-based attacks.
The balance of power is lopsided in health care organizations. Despite the abundance of valuable data and technology, the bulk of the decision-making authority rests with doctors and medical personnel, not IT. At budget time, IT and security spending typically takes a backseat to buying new medical systems and hiring additional medical staff.
That needs to change. Without proper IT and security management, health care organizations will find their ability to offer quality care compromised.