Cybersecurity in the healthcare sector is very challenging. Health organisations have large segregated networks with interconnected medical devices that are often difficult to keep secure due to the requirement of shared information and a lack of resources in security – whether it’s funding, people or IT skills.
Today, patient data is one of the most desirable commodities on the dark web, often commanding a higher price on the black market than credit card data. The issue for the health industry is that because it has large quantities of high value data, which is relatively easy to exfiltrate undetected, it has become an attractive target for cybercriminals.
It is therefore not surprising that according to the Office of the Australian Information Commissioner, the greatest number of reported breaches to the Privacy Commissioner came from the healthcare sector, for the past two quarters.
In this blog, I’ll examine the unique cybersecurity challenges that healthcare organisations face. Then, I’ll look at three essential steps that healthcare organisations can take to address these challenges. These steps are:
- Scanning for Vulnerabilities;
- Preventing Intrusions; and
- Governance, Risk and Compliance.
Cybersecurity challenges unique to the healthcare sector
Compared to other industry sectors, cybersecurity in healthcare is extremely complex. Hospital networks typically connect with as many as 10,000 different devices. These devices range from phones, laptops and desktops to air-conditioning systems, medical devices and more. To give patients the best care possible, doctors and nurses must share patient information quickly and easily. Therefore, many medical devices – such as, x-ray machines and blood gas analysers – now connect, in multiple ways, to healthcare agency networks and the internet.
Third-party providers supply these medical devices but many of these suppliers do not address cybersecurity risks as comprehensively as they should. An example I’ve encountered many times over the last few years are x-ray machines that still use Windows XP as their operating system. Windows XP is unsupported by Microsoft, hence, these machines contain a host of vulnerabilities that you cannot patch. They are like doors that are always open without any safeguards.
We also encounter outdated operating systems that run on medical devices that are completely inaccessible. Frequently these medical devices don’t support a console to allow you to patch vulnerabilities or install a comprehensive anti-virus agent. Nevertheless, these devices need to connect to the network because they give real-time healthcare data to doctors or nurses working elsewhere.
Another cybersecurity challenge unique to healthcare is malware that specifically targets medical devices. One example is MEDJACK (there are now at least three versions of MEDJACK). When MEDJACK infiltrates a hospital network, it specifically looks for and then installs itself on medical devices. However, nobody sees it infiltrate or spread through the healthcare network because it is a script. Once installed, it give hackers unsanctioned network access to steal patient data or make medical devices malfunction, with potentially lethal consequences for patient health.
The Hippocratic oath states that doctors must “first, do no harm”: this means giving patients a safe environment, and a safe surgery or treatment; but increasingly it also means protecting their data and keeping medical devices safe from cyber attacks. For example, ransomware created critically dangerous issues for the National Health Service in the UK. Entire networks of PCs and other devices had their data encrypted. This inaccessible data led to the cancellation of healthcare appointments, and thousands of patients didn’t receive the healthcare they required.
With My Health Record, the Federal Government is centralising how health professionals access and store patient health data. While it’s possible for individuals to opt-out of My Health Record, the vast majority of Australians will have their health data move online by the end of 2018. Although My Health Record will deliver a host of compelling benefits for Australians and the healthcare sector, the new scheme also invites considerable risks. For example, with this level of centralisation, it’s conceivable that a large data breach could leave the whole country compromised, not just one clinic or hospital.
These are formidable challenges. Nevertheless, there are solutions. Here are three practical steps that healthcare agencies can take to help protect themselves against cybersecurity threats.
Step 1: Use Vulnerability Scanning
First and foremost, every hospital must run a comprehensive vulnerability scanning tool that pinpoints what’s on the network and evaluates the vulnerabilities. My team and I specialise in this area. Our tools will scan every device sitting on your network: phones, monitors, laptops, desktops, applications, medical devices, networked air-conditioning systems – everything. These scans make a lot of information visible and reportable: missing patches, default credentials, vulnerabilities, application profiles, data transfer events, etc.
This has 3 main benefits. Firstly, these scans give each device on a network a description and pinpoint which operating system it runs (which is how you find out that you have an x-ray machine running Windows XP). Secondly, these scans show each device’s specific vulnerabilities. Thirdly, these scans show you how to patch vulnerabilities, often with a link to the correct patch when there’s one available.
Recently, I ran a vulnerability scan for one of Australia’s largest health departments and found approximately 15,000 vulnerabilities, of which, over 5,000 were critical vulnerabilities. When someone exploits a critical vulnerability, they can obtain full system access and commit serious data security offences, like exfiltrate large volumes of patient data or infect a network with ransomware.
Step 2: Use an Intrusion Prevention System (IPS)
Once you’ve identified your vulnerabilities, you need to defend them.
However, in healthcare agencies, patching vulnerabilities typically takes longer than usual because of the unique complexity of their devices. There are also some devices, such as x-ray machines or blood gas analysers, that are impossible to patch. For example, x-ray machines frequently don’t have downtime when you can do the patching. Furthermore, you usually don’t have access to the machine’s backend because it’s locked down by the manufacturer.
Healthcare agencies tend to patch their laptops and desktops infrequently, usually every three-to-six months. This intermittent patching leaves healthcare networks vulnerable for extended periods and creates a huge attack-surface that cybercriminals can exploit.
To reduce this threat, a key goal for my team is to diminish the time in-between identification and protection. The best way to do this is by using an Intrusion Prevention System (IPS).
An IPS server sits onsite and inline of the network, and it monitors every packet of data going in and out of an organisation. The IPS analyses the data automatically and can pinpoint and address serious issues due to compromised devices. For example, an IPS will block a backdoor that a hacker is accessing (backdoors are unsanctioned entry points into a network or application that have been deliberately or accidentally made available). An IPS will also stop beaconing ransomware alerting a cyber-criminal to a new target and will prevent cybercriminals gaining access to a network to exfiltrate or encrypt data.
Which IPS a healthcare agency deploys does not particularly matter, as long as it can ingest vulnerability scanning data. The Trend Micro IPS supports the ingestion of vulnerability data from any vulnerability scanning tool. Typically, I’ll run a vulnerability scan and pinpoint, say, 15,000 vulnerabilities within 5,000 devices. I can then upload this vulnerability scanning data directly to the Trend Micro IPS, and within a minute, it will safeguard and protect against all 15,000 vulnerabilities.
Intrusion Prevention Systems have been in the market for decades, but when you look at the healthcare sector’s cybersecurity track-record, it’s clear the levels of IPS adoption and implementation have been inadequate.
Step 3: Governance, Risk and Compliance
Hospitals deal with a lot of device manufacturers and software suppliers. In one recent business case, an attacker infiltrated a network via their networked air conditioning system. Because this one system wasn’t secure, the attacker gained access to everything on that network.
Regrettably, this scenario is becoming increasingly common. If an attacker can’t access a network directly, they’ll go through third-party suppliers.
When managing the “supplier risk”, health organisations can only manage cybersecurity issues indirectly using governance and compliance. For this reason, I encourage all healthcare agencies to not only discuss technical cybersecurity solutions with their suppliers, but also address the issues of governance, risk management and regulatory compliance.
To manage risk, healthcare organisations must conduct risk assessments of all third-party suppliers. Practically all organisations have risk management frameworks. Whether it’s a software vulnerability, an x-ray machine going down, or a doctor being unavailable, managers and board directors need to know the level of risk that these issues pose to the healthcare organisation, its patients, and its associated labs, clinics and medical practitioners.
Therefore, it’s important to tell third parties: “Because we can’t test your application or device directly, you need to show you’re handling our data correctly and that you have good security measures in place.”
Part of a healthcare agency’s due diligence should include a questionnaire for every supplier to complete.
Questions might include:
- How do you protect the data that we entrust to you?
- How do you secure the devices that you provide us?
- How do you conduct ethical hacking and penetration testing on the applications that you supply to us?
- How can we be sure you’ve tested for vulnerabilities?
Then, if a third-party supplier’s security vulnerability leads to a significant data breach that becomes a scandalous news story, the healthcare organisation can at least show that they had taken data security seriously by putting the proper protocols in place with their suppliers.
At Content Security, we employ specialist GRC (Governance, Risk and Compliance) consultants and this is one of our most commonly used services. These risk consultants conduct third-party assessments and audits of suppliers. We then report back to the healthcare agency and advise on the maturity of security controls that exist within each key supplier and the level of risk that they pose to the organisation, its health network, its patients and it’s staff.
The reason I run the health strategy at Content Security is because I’m passionate about protecting Australian citizens’ health data.
Patient safety and wellbeing are healthcare’s most cherished values. For everyone who walks through a healthcare agency’s front-door, let us give them a service that is efficient and treat them well; but at the same time, let’s also ensure we protect their privacy and their data.
If you’ve found this blog useful, please don’t hesitate to contact me. I’m more than happy to discuss any of these cybersecurity strategies in more detail. The best number to reach me on is 1300 659 964.