The healthcare industry is being rapidly transformed by new technology throughout the patient care lifecycle. However, the proliferation and growing sophistication of technology-enabled, networked and interconnected medical devices and other internet of things (IoT) devices require a holistic, thoughtful and programmatic approach to cybersecurity.
Healthcare providers and their internal auditors should plan for the impact of the IoT on their information technology environments. Patients’ sensitive information and even their safety are at risk.
J. C. (Cal) Slemp III is a managing director in Protiviti’s Technology Consulting Security and Privacy Practice. He develops and evaluates information security strategies and data privacy and compliance programs, incident response planning and execution, and security architecture services. Cal can be reached at [email protected] and (203) 905-2926.
Matthew Freilich is a senior manager in Protiviti’s Technology Consulting Security and Privacy Practice. He is responsible for technical penetration testing of embedded systems, IoT/NoT products and medical devices. Matt can be reached at [email protected] and (215) 704-1977.
Ensuring that the appropriate security controls are in place is critical in the continued assurance of patient safety and compliance with regulatory bodies, including the Office for Civil Rights (OCR) in the Department of Health and Human Services, and state laws like the California Consumer Privacy Act (CCPA). These also support various patients' rights to personal privacy.
The growth in the cyber landscape for healthcare will consist of thousands of IoT devices (summarized in Exhibit 1) that process, store and transmit health information.
The Mirai, Hajime and Persirai botnets demonstrated how the explosive growth of IoT has created a new attack surface, already exploited by cybercriminals, hacktivists and nation-states. Healthcare organizations must now address this new threat landscape to determine how to protect themselves.
Additionally, the development of multimodal malware approaches has changed how we need to understand the use and transfer of data between devices. A multimodal threat will leverage weaknesses on one platform, not to affect the operation of that platform in any way, but merely to use that platform as a host to launch an attack against a more data-rich environment. An example of this is creating a capability or launching pad from a mobile device to infect and compromise a Windows or Unix environment, or compromising any number of devices to gain access to patient information.
The attacks follow the notion that the weakest link can break the chain, and networked devices are all chained together. Everything from modern TVs and media players that use a Linux variant to devices that regulate and monitor patient health and treatment are susceptible to corruption. Since many IoT devices lack even the most basic cybersecurity protections, such as strong authentication requirements like passwords or multifactor authentication, the devices often leave networks vulnerable.
A layered security approach is still key to achieving the protection of these devices and the management of an infection that might occur. Never assume you can stop a threat actor at the gates. You still need to try to prevent the
threat, but you also must be prepared to triage systems as well. An infection or attacker that establishes a beachhead in your environment is much like a medical illness that our hospitals treat every day.
Understand the symptoms that indicate an intruder, then react to the threat/illness with a treatment. Large sums of money have been invested in our electronic health record (EHR) environments with little to no attention to how these systems are secured, though security was a requirement in receiving the meaningful use funds.
The OCR and the Centers for Medicaid and Medicare Services (CMS) view security as a requirement beyond the EHR, including all the patient data on your networks. The security expectation is a fundamental requirement in the Privacy Rule for minimum necessary use and disclosure.
To achieve compliance with Health Insurance Portability and Accountability Act (HIPAA) rules as well as state laws, your organization must protect and limit access to patient data wherever the data exists in your network, whether the data is processed, stored or transmitted. Exhibit 2 summarizes the essential questions in dealing with protecting patient data and safety on the IoT.
Exhibit 1 – IoT devices
- Embedded medical devices that aid, regulate, treat or monitor the patient
- Care systems used to examine, monitor and treat the patient during clinical procedures
- Equipment used for clinical diagnosis
- Workstations, tablets and mobile devices used throughout the patient care environment
- Clinical applications from multiple vendors, integrated into the primary electronic health record (EHR) platform
- Clinical data stores used to improve patient care, quality and outcomes
- A technology support environment consisting of network gear, printers, switches and other devices used to log, capture and prevent inappropriate access and information usage
- Patient portals and other patient interface systems
- Third-party systems used to supplement, enhance and manage patient care
People and organization are key. Do you have the right leadership? Do you have the right organizational structure within your technology groups and a clear view of operations versus oversight for security? Does your information system function have the proper authority to report to the board and leadership?
Often, the answer to these questions is “no.” Many other priorities compete for attention from CIOs and IT groups, so segmenting or separating security needs between security oversight and security operations within IT is a helpful solution.
Security operations personnel are the day-to-day people in IT, and the Chief Information Security Officer (CISO) group is the oversight. The CISO group sets policy, has responsibility for the security event monitoring systems and the governance, risk and compliance (GRC) portals, and defines security rulesets. The CISO independently reports to the board, much like the chief audit executive in the internal audit function. Independence removes the burden from the CIO on prioritizing security over running the IT business, and synchronizes the CIO's role with the oversight role of the compliance function.
Another challenge is that too many boards believe security is covered by merely having an IT leader on their board. Cyber leadership needs to come from an in-depth and knowledgeable understanding of cybersecurity. Too many times, boards become complacent about cybersecurity reports from CISOs or CIOs that are superficial and even fictional, rather than insightful and factual.
Exhibit 2 – Questions for protecting data
- Where to begin?
- How should our security program be assessed?
- How should our investments be prioritized?
- Does moving things to the cloud help or transfer our security responsibility?
- How do medical devices affect our security systems?
A layered security approach is the key to protecting IoT devices and managing an infection.
Many organizations are only a roll of the dice away from a breach. The organizations think a breach will not happen to them or they will be able to mask the breach as someone else's fault. With the continued growth of cyberthreats today from actors ranging from nation-states like Russia, China, Iran and North Korea to profit-driven hackers, well-intentioned boards are not enough. Boards must be properly advised by qualified cybersecurity professionals performing independent evaluations of the organization's cyber posture, or by qualified cyber professionals on boards.
This idea that attackers will not go after hospitals or other healthcare-related organizations because they serve a public good is dead. Attacks already happen more frequently than many would like to admit.
HIPAA and the CCPA, as well as the General Data Protection Regulation (GDPR), require vigilance in assessing cybersecurity and cyber programs. Effective vigilance comes in the form of a multipronged approach.
Governance and organizational capability, as well as cyber readiness, can be evaluated from a program basis by an effective review utilizing the NIST Cybersecurity Framework, which is based on a cyber framework tied to NIST 800.53, ISO 27001, COBIT 5 and other frameworks. Utilizing the NIST 800.30 risk assessment and analysis framework, with a capable cyber team, you can assess your organization's cyber posture or cyber governance, risk and compliance.
Additionally, since vulnerabilities and capabilities of IT services are constantly evolving, a quarterly or semiannual technical security test with penetration testing teams should be performed as well. Also, simulated exercises, with red teams attacking and with blue teams defending, should be completed to ensure that your system posture is at an adequate level to prevent or minimize a cyberattack.
Following the weakest-link theory, all the assets on your network should be inventoried—and the IoT can exponentially increase that inventory challenge. Too often, all the devices attached to your network are unknown or new devices cannot be prevented from attaching to your network, which increases the chance that threats will find their way into your environment. Therefore, the devices must be inventoried, assessed and controlled.
Many tools can be used to inventory assets and a few can be used to govern those assets. To be effective, notifications must occur the moment an asset hits the network and requests any form of access, such as a network address. Many of the tools require an active scan that is scheduled to run and discover assets, but the tools do not usually include an active-monitoring component.
With active hardware and device-level access management, when an infection does occur and starts to spread, IT must be prepared to isolate devices or systems on the network. IT performs battlefield triage by isolating that segment of the network and potentially taking the segment offline before the entire network is infected. Then IT can remediate that network segment before restoring its access. The technique can limit the effect to an enterprise but requires more than just detection.
Attacks follow the weakest link to break the chain of networked devices.
Many networks have been flattened too much, without logical or physical separation of assets by type or class of service. In healthcare, networks can and should be segmented, and therefore managed by appropriate approaches based on the types and classes of devices in the organization.
Examples of the categories that can be segmented include operating rooms, patient room medical devices, financial and operational systems, and other clinical environments, such as radiology, pharmacy and pediatrics. Creating these segments limits an attacker's ability to laterally move among segments or escalate their access.
A segmented approach means the development of not just a network architecture plan but also a security-based network architecture plan. Consider the operational parameters of each segment, the ports that need to be open, how to mitigate risks and treat risks in each segment appropriately, and the security assets needed to deploy to manage those risks.
Not all assets can have antivirus software or agent-based security tools. The risks and the asset capabilities need
to be treated differently. We can no longer assume that a homogeneous security approach to our networks and the assets on them is adequate.
The cloud and how to assess security in the cloud have increased risk and brought complexity to security infrastructures. Now, organizations must monitor and evaluate data flow, access rights and multi-tenant cloud integration in real time. Organizations need to understand and assess individual risks at the cloud level.
Never assume that responsibilities and requirements can be transferred to the cloud. Vendors run and manage their software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) products differently between the major vendors, including AWS, Google, Microsoft, IBM, Oracle and HP. Some offer integrated security capabilities, and some are limited, while some leave those responsibilities completely to your organization. Therefore, each cloud offering needs to be evaluated as if you are implementing a capability, service or application within your own controlled environment.
Medical device security
Medical devices continue to expand your network footprint and ultimately your attack surface, and some of these devices still have outdated and unsupported operating systems and wireless configurations that make them vulnerable to attack. Further adding to the concern around these devices is that many have open physical ports, such as USB or other serial interfaces on the device. Anyone may plug into a medical device to charge their personal smart phones or other devices, potentially introduce malware directly to the medical device.
Many times, medical devices are outside the purview of the CISO, because the biomedical engineering team owns and manages the devices. But these devices need to have appropriate oversight and controls to protect them from malicious and inadvertent actors. Biomedical engineering is typically charged with ensuring that the medical devices are capable of operating in the way the purchaser intended. Ensuring that these devices are operating in the most secure manner possible may be outside of the biomedical engineering team purview or expertise.
As a result of this segmented set of responsibilities, the security of medical devices is sometimes misunderstood. Security teams may not be aware that a medical device is running an outdated operating system, like Windows XP, which may necessitate additional security controls. Other devices may be incapable of operating on-device security software, so security controls may be required at the network level, or the devices should not be connected to the network at all.
Security needs should be separated between security oversight and security operations within IT.
This lack of device-level insight could, and does, lead to an infection in one device, resulting in proliferation to many devices in a short amount of time. The infection potentially renders them useless, or unable to be trusted, much like what the WannaCry ransomware did to UK hospitals.
The healthcare industry is expected to continue adopting and utilizing new technologies across the numerous touchpoints of the patient care continuum. Healthcare organizations and their internal auditors need to ensure that proper governance and oversight are in place to design and implement appropriate controls to prevent the possibility of the IoT becoming a major weakness.
Securing these devices is not a one-size-fits-all process or one-and-done effort, but an ongoing battle in an
ever-evolving cybersecurity war. Internal audit can help organizations assess the governance structures being established to identify, review, monitor and enforce appropriate controls over the full lifecycle of these devices. Your patients' sensitive information and their safety need to be protected.