BOSTON—Reality has bitten healthcare hard in the last year, with dire vulnerabilities in medical devices bubbling to the surface, malware infections a
BOSTON—Reality has bitten healthcare hard in the last year, with dire vulnerabilities in medical devices bubbling to the surface, malware infections affecting patient care at a number of facilities, and the realization that nowhere is the lack of information security professionals more pressing than in the medical industry.
Today at the Source Boston conference, Josh Corman of the Atlantic Council, an international affairs think tank, and I am The Cavalry, said that more than three-quarters of healthcare delivery organizations lack a single qualified security person on staff.
“There’s no one there to apply patches, receive threat intelligence, or respond to emergencies,” Corman said. “It’s basically nurses and medical technicians. There’s no one there.”
The lack of talent, coupled with a staggering number of vulnerabilities afflicting life-saving, connected medical equipment, is creating a critical situation in an industry that accounts for 20 percent of the U.S. economy.
“This is a wicked problem,” Corman said. “But many are solvable problems.”
Part of the challenge is that so much focus, especially on the legislative end with HIPAA, is on securing patient data and enhancing privacy. While data protection is important, relatively little parallel attention is focused on the security of medical devices.
Corman said that may be changing, given ransomware attacks that took hospitals in California and Kentucky offline last year, and also including public disclosure of vulnerabilities in St. Jude Medical implantable cardiac devices. More attention may result in more movement toward improved security, whether it’s through legislation or guidance and enforcement from bodies such as the Food and Drug Administration.
Corman identified five key areas that need improvement, starting with more security professionals entering healthcare. Gary McGraw, CTO and cofounder of Cigital, has said that some prominent financial services and security executives are seeing opportunities in healthcare and making the move over.
Meanwhile, McGraw’s Building Security in Maturity Model (BSIMM), which measures software security practices in more than 100 participating organizations, highlights the problems facing device security and secure development in the industry. Healthcare statistics have been shared in the last two BSIMM iterations and the industry is near the bottom of all 12 practices the model reports on.
Corman today said that legacy equipment—Windows XP’s proliferation among organizations in particular—is a major contributor to the lack of security in the healthcare industry.
“XP is everywhere,” Corman said. Microsoft has long since stopped supporting XP with security patches, and recently put Vista on end-of-life notice. “XP is way past end of life and lacking countermeasures. Vista is a best case in many organizations because of DEP and ASLR,” Corman added. “We’re in a bad way.”
Corman said that the government’s mandate to transition to electronic health care records has also incentivized bad behavior in the industry by attaching reimbursement conditions to the transition.
“The fastest path to money is not to make new devices and secure design and implementation. The fastest path for cash-strapped hospitals is to take devices that were never designed to connect and force them to connect,” Corman said.
Devices, meanwhile, are so rife with vulnerabilities that it’s not unusual for one piece of equipment to harbor more than 1,000 known flaws, Corman said, citing research conducted by Billy Rios, a well-known industrial control system vulnerability researcher. In the case of Hollywood Presbyterian Hospital, the SamSam ransomware took advantage of one Java deserialization vulnerability in one JBoss library to shut down the facility and force it to move patients to other hospitals.
“Seconds matter in healthcare,” Corman said. “If doctors don’t trust systems and have lost confidence in connected systems, they’re going to retreat to older, less connected technology.
“How much of our time and discussion in the industry has been focused on this, versus highly replaceable credit card numbers?” Corman asked.