Providers, devicemakers lag in IT defense
Some experts say that insulin pumps and MRI machines have prompted deep concerns about the privacy of the devices. The FDA in 2014 issued guidance on medical device cybersecurity. Photo credit: Alan Levine/Creative Commons
The broad surround of digital technology that supports modern medicine wasn't supposed to end up this way: Hijacked by rampant concerns about maintaining privacy and even ensuring the safety of care.
But medical “infomatics” has proven to have a double edge — it can both save patients' lives while simultaneously putting them at risk as they must manage the long-term effects of their very personal information seeping out into the hands of bad actors. By some accounts, hackers now consider medical data to be more valuable than credit card data; a discovery that is driving information theft at hospitals, clinics, and insurance companies. And while it's made great strides, the healthcare industry is still behind in some tech and information safeguards.
See also: Data Management: Brace for the Breach
“A typical healthcare provider has four to five times as many smart devices as it has traditional computers and that spread is increasing,” says Barry Caplin, VP and CISO at Fairview Health Services, a complex of hospitals and medical organizations with some 22,000 employees in the Minneapolis area. And to a greater extent than almost any other field, in healthcare, users are very smart and educated. “They know what they want and we have to deliver it for them because patient care comes first.”
Medical devices represent another challenge. Ranging from implanted insulin pumps to giant MRI machines, they, with few exceptions, were conceived and fielded with little or no thought given to security, prompting deep concerns not only about privacy but even safety. Indeed, the computer security advocacy group, I Am the Cavalry, recently issued calls for a cybersecurity “Hippocratic Oath” to help improve practices.
Fortunately, observers see basic strengths in the HIPAA infrastructure to deal with garden-variety data loss and, on the device side, a positive formulation for action has emerged in new FDA device guidance. But those positives must be weighed against a host of worrisome facts.
For example, according to a survey sponsored by Bitglass, a data protection company based in Campbell, Calif., there was an 80% increase in data breach hacks in 2015 across the U.S. According to the“Bitglass 2016 Health Care Breach Report,” when protected health information (PHI) – including Social Security numbers, medical record data, and date of birth – is purloined, it is far more costly than ordinary data thefts. The survey cites a recent Ponemon Institute report that found the average cost per lost or stolen record to be $154 overall, but $363 on average for healthcare organizations. Large-scale attacks, alone, compromised the records of more than 10 million individuals in 2015.
On the device side, the sad fact is that the world is awash in unsecure “legacy” medical equipment, says Jay Radcliffe, a medical device cybersecurity researcher at Rapid7, a data security analytics firm based in Boston. Radcliffe underscored this on the stage of Black Hat in 2011 when he hacked his own insulin pump, revealing the potential life-threatening nature of poor security practices.
Fairview's Caplin deals with these issues on a daily basis and contends when it comes to medical information security, the attacker has the advantage. “They only need one way in, while the defender has to protect all ways in,” he says. “So the key to finding some kind of success is finding the right balance between prevention and control.”
See also: Cloud Marketing: Cloud Control
In all areas, healthcare has been late to the table compared to financial services and other industries, he says. Everyone is playing catchup, but it's not easy. “Healthcare is a very different business that has become very expensive and very low margin. The costs to provide care are up and reimbursements are down,” he says. Therefore, in the healthcare field, money for security is hard-fought.
But, Caplin says, the good news is that the healthcare field is getting a lot more mature. “One thing I find is that we have a fantastic healthcare security community, at least here in Minnesota, and folks are very willing to share information,” he says.
Like Radcliffe, he sees problem with devices and with the whole spectrum of Internet of Things (IoT) adoptions. At Fairview, that encompasses everything from smart refrigerators to smart lighting that is becoming part of the treatment and recovery process.
Caplin says that the huge and growing universe of not-too-secure devices is scary for a number of reasons, but especially because healthcare organizations tend to have a flat network connecting almost everything. By contrast, a financial service network is multi-tiered, segmented, and zoned with tools and controls to enhance protection.
That's a concern also expressed by Chris Sherman, an analyst serving security and risk professionals at Cambridge, Mass.-based Forrester Research. He says hospitals typically have multiple VLANs. Usually a traditional IT network is where medical records reside, he explains. And sometimes there is a separate network for bioengineering or a vendor-specific network for branded medical systems. Complicating the security challenge is complexity at the operating system level. “In traditional IT, you might have to deal with, at most, a few operating systems,” he says. “With clinical engineering, you could have 100 different vendors, many different operating systems and with multiple levels of access control and security vulnerability. So, security is really an operational challenge.”
Sherman says IT does not have a lot of alignment with clinical engineering activities, so security, especially when most of the devices are not managed by IT, is often left up to the vendor. “That means you can't really apply things like whitelisting and sandboxing and endpoint visibility control, anti-malware or anti-virus,” he says.
Two developments may help. One is a frequently referenced risk framework, IEC 80001-1:2010, application of risk management for IT-networks incorporating medical devices. “The industry is now trying to extend that ecosystem to include mobile health devices,” Sherman explains. The other development is from the FDA. Until recently, he says, the FDA was focused mostly on pre-market guidance for medical device-makers — namely the things you should include in a design to make it more secure. Recently, though, the FDA radically shifted to a lifecycle approach that recognizes the need to address care, maintenance and updates in the field.
CLARITY FROM THE FDA
For years, medical providers have petitioned the FDA to clarify the rules around cybersecurity and medical devices, says Mike Meikle, CEO of the Hawkthorne Group, a Richmond, Va.-based boutique management and information technology consulting firm. For instance, he notes, device manufacturers often believed they had to re-certify every time they applied an operating system patch or installed endpoint protection. The issue gained more urgency as HIPAA penalties for patient data breaches became more common. The FDA began to provide some clarity for these concerns with its October 2014 release of a guidance document on medical device cybersecurity. Since then, the FDA's approach has evolved with some of that thinking embodied in a workshop and newly published draft guidance in January 2016.
According to Katie Moussouris, chief policy officer at HackerOne, a San Francisco-based vulnerability coordination and bug bounty platform, one of the most persistent myths in the industry is that the FDA doesn't act “until the bodies start piling up.” In fact, in recent years they have been operating well ahead of any actual harm, she says.
“The goal of proactively addressing cybersecurity risks throughout a medical device's full product lifecycle is simple: to keep patients safe,” explains Suzanne Schwartz, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA's Center for Devices and Radiological Health.
While building cybersecurity safeguards into the development and design of a medical device is essential in demonstrating the safety and effectiveness of the product, it doesn't end there, she says. In fact, once devices are on the market, new vulnerabilities can be introduced, “so we need to ensure mechanisms are in place to monitor, identify, and address these issues to keep patients safe and protect the public health,” says Schwartz.
Getting there has been a slow and laborious process. The FDA has been working with its stakeholders to address medical device cybersecurity for several years, she says. “This is the new reality today: Hospitals and healthcare systems are under constant attempts at attack and intrusion of their networks,” says Schwartz. Therefore, protection of these systems, which contain highly sought-after personal health information and personal identity information, means that medical devices need to be better secured as well.
Now, Schwartz says the FDA is looking to all stakeholders — manufacturers, researchers, government, and healthcare delivery organizations — to work together to collaboratively share information and assess cybersecurity risk “in a trusted and open setting” in order to better address device safety. This is a culture shift and will take a change in attitude and effort, Schwartz expects to see more and more open collaboration among these groups because, she says, she has experienced first-hand the positive effects this shared responsibility has on addressing cybersecurity vulnerabilities before they cause patient harm.
VALUE OF DATA
Russell Jones, partner in Deloitte's cyber risk services group (and its resident expert on cybersecurity and medical devices), advises on the FDA cybersecurity guidance. “As far as the FDA guidance goes, it is pretty robust,” he says. Jones contrasts the 2014 guidance, which focused on premarket steps, with the new lifecycle approach that is the focus in 2016.
“The FDA is now recommending device manufacturers to follow each device to the end of its life and understand how to support it from a security standpoint,” he explains.
Ultimately, though, better across-the-board protection for medical information will require that the value of the data must be understood, says Eric Chiu, president and co-founder of HyTrust, a cloud-focused control and security company. “It's often hard to pursue protection of that which has no perceived value,” he says. “The value of medical data is not as clearly understood as of now, and we're relying on regulations like HIPAA to drive compliance to policies that better protect medical data.”
Chiu says when personal or financial information is stolen, people may have to get a new card, make some calls, or do some level of repair to their identity and credit, all of which are considered inconveniences. However, if medical devices and the information they use during treatments are compromised, the consequence becomes more than just an inconvenience; it may mean loss of life or significant harm to patients, he notes.
Fortunately, many of the same practices that we're familiar with today to reduce risk and protect information can be applied, he says, namely working to identify, test and remove device vulnerabilities during development. Then, ongoing assessment must continue as these tools are deployed, giving consideration to how devices are connected to networks, what devices, people, and applications are able to access, and protecting information on devices and in applications by something as simple as encrypting the information.
Finally, notes Jovan Miladinovic, acting CISO at Toronto Public Health, the challenges are not unmanagemeable, but “people need to do their homework.” In his view, security processes and technologies have not evolved as much in the last 20 year as the threat. “New technology is coming faster than the governance we need,” he says.
When it comes to medical information, Miladinovic laments the excessive caution of some organizations. “There are great applications being developed but they are sometimes not deployed because a chief privacy officer vetoes them,” he says. “The role of privacy and security pros is to assess the risks rather than to simply have knee-jerk reactions.”
This story originally appeared in SC Magazine.