At the HIMSS17 conference at the Orange County Convention Center in Orlando, experts in the cybersecurity space dove into the latest emerging trends regarding healthcare information security and protection, with newfound emphasis on medical device security.
Not likely to be a surprise to anyone, Mac McMillan, CEO of the CynergisTek consulting firm, as he has done many times in the past, noted that the greater sophistication of the level of attacks that he is seeing today continues to be one of the biggest trends related to healthcare cybersecurity. McMillan said that artificial intelligence (AI) is starting to "creep into attacks," and that hackers are now using the same technologies that the "good guys are using for benefit." He said, "Now [criminals] are teaching malware to do amazing things that it couldn't do before, thus making it harder for the good guys' systems to block, protect, or stop it."
McMillan added that the volume of attacks has also not slowed down at all, as evident by recent research. "Extortion has taken on totally new approaches, so it's not just encrypting data and holding it ransom, but attackers are wiping it out and making copies, and telling the organization that they to pay to get their data back. Extortion has taken on a whole new realm," he said. McMillan then touched on another noteworthy trend: attacks that are purposed to take advantage of just the devices connected to the network, either wirelessly or otherwise. "I worry about inadvertent health or safety issues with patients in the hospital who are relying on these devices that are connected," he said. Indeed, he continued, the disruptive nature of such attacks are incredibly disturbing as they affect business, revenue, service, and confidence—"all the important things for a hospital."
Further discussing the emerging attacks on medical devices, McMillan noted that at the recent security-based RSA conference, several medical device manufacturers made comments that they were not the problem in respect to the non-secure medical devices, but rather that it's the providers who are the problem since they are continuing to use devices past their end of life. "So the [manufacturers] are saying that the providers are not renewing the devices fast enough, which is another way of saying 'buy more of my devices'. However, it doesn't matter if I buy more devices if the devices I am buying still are not secure," McMillan said, referring to the conversation at the RSA conference as "a crazy experience." He added, "Here at [HIMSS], folks have come up to me who were at RSA asking if I could believe what the manufacturers said there. And I said absolutely I could, if they could make the case that it's your problem and that you need to replace your devices, think about that as a sales opportunity."
To this end, during an education session on the evolving state of medical device cybersecurity, Seth Carmody, Ph.D., cybersecurity program manager, FDA, noted that medical devices in the clinical environment, in the health and public health clinical infrastructure sector, "represents a major large attack surface for national security today." Carmody added, "We don't want people to check boxes; we need to make sure that medical devices are more secure, not more compliant."
Carmody said that FDA guidance in medical devices serves as a policy framework to enable patching and reconfiguration, if appropriate, as they have historically been designed without secure development techniques. "The FDA's mission is for safe and effective devices," he said. "Where are we as a center? We are maturing; we just got started in 2013. Some other sectors have had a 25-year head start on us. Now, it's about raising awareness, and there are both early adopters and deniers. We want to promote safety and security by design through establishing clear regulatory expectations," he said, adding that a "whole community approach"—inclusive of all of federal regulatory bodies, such as ONC, OCR, DHS, ICS-CERT, and the private sector of device manufacturers—is necessary to coordinate, collaborate, and share information. Carmody said that manufacturers have come to the FDA and have had transparent conversations. "That's when you start to get things done," he said.
Meanwhile, during the same session on medical device cybersecurity, Margie Zuk, senior principal cybersecurity engineer at The MITRE Corporation, identified several gap areas identified after the organization's research, including: the need to share best practices for securing legacy devices; the need to adopt threat-based defense for the sharing of threat intelligence; the need for coordinated disclosure of vulnerabilities and the transparency of vulnerabilities in third-party software; the need for solutions for small and large organizations; the need for a common risk framework for security and safety; the need for cybersecurity baselines for medical devices; and the need testing and certification of medical devices.
What's more, when asked about where the biggest gaps lie in regards to defense and protection, McMillan said, "Still amazingly enough, the most important thing that organizations can do is the basics." He gave specifics, such as: better hygiene in how they manage the environment; making sure they are using systems that are up-to-date; and taking an overall approach of hardening and patching up things. "And whether they like it or not, they will have to invest in smarter technology," he said. "Technology of the past won't protect us against threats of today or tomorrow. You will need smarter systems will have to rely on heuristic capabilities with behavioral analytic-type capabilities and machine learning capabilities. If the bad guys are going to use machine learning, we also have to if we want any chance of keeping up with them."
To this end, he said that a core problem is still that organizations are following point problems. So for instance, when ransomware happens, folks are thinking about the solution to that as being getting an advanced malware solution. While McMillan admitted that this is part of the solution, he noted, "If you haven't fixed the access control issues and the hygiene issues, that malware solution will only be so effective. We are not necessarily doing a better job of managing security overall, despite spending money." He added that there are simple things organizations can do that can lower their threat profiles, that are not associated with deploying a lot of technology, such as: truly segmenting a network and making it harder for the threat to move freely inside your environment once it finds a way in; locking down access control; getting rid of passwords and going to a vaulting solution so that those elevated privileges don't exist on the network all the time; and using two-factor authentication which makes it exponentially harder for a hacker. "These are solutions are not terribly expensive," he said. "Vaulting solutions are somewhere between $80,000 to $120,000 yet look what it does in terms of eliminating that threat. These things can make a tremendous impact on our environment. We might spend millions of identity management and advanced malware, and we still have all of these holes."
For those that have suffered a breach to their systems, and a ransom demand, McMillan said each situation is different, and that the first question he asks the victims is if their data is backed up with confidence. The organization's answer to that question will determine the next steps, he said. As far as paying the ransom or not, McMillan noted, "I would love for you not to [pay], because we don't want to perpetuate that behavior, even though we know more than 40 percent of organizations are paying those ransoms for business reasons. If you are sitting there with downtime that is costing you hundreds of thousands of dollars per minute, and you have a ransom demand of $20,000 to $40,000, you might not like paying it, but it's the lesser of two evils. I don't fault anyone who pays it, but it's not something we want. Anytime you pay that ransom, bad guys see it as a justification to keep going."
Seemingly, in recent years, as every HIMSS conference passes, the fear of cybersecurity grows. But as show attendees continue to share challenges and best practices, McMillan believes that people are now over the shock and awe of the situation. "They realize that it's the new reality. They are smart enough now to recognize that in order to meet the issue, they will have to employ more resources." But, he added, they're worried about where that will come from with [uncertainty] regarding the new administration leading to new financial challenges for hospitals. He said, "The bigger issue now is, 'can we find the resources' rather than 'can we spend it in the right places?' But the latter is the place we need to be."