Code red: Health IT must fix its security crisis

Poor understanding of risk leaves health providers vulnerable to attack, as malicious hackers threaten to wreak havoc

The health care industry provides an alluring target for malicious hackers. Personal health information has a much longer shelf life than financial information, making it a major draw for identity thieves. But a new and more troubling threat has arisen: the potential disruption of critical hospital systems by cybercriminals.

With a diverse array of digital systems, hospitals have evolved into complex technology operations. Yet they remain singularly ill-prepared to defend against attacks, in part because the multiplicity of systems forms a wider surface area to attack.

Spurred by massive breaches at health care giants -- and security research that has uncovered vulnerabilities in medical devices from insulin pumps to pacemakers -- the focus has shifted from data security alone to protecting a range of medical technology. Attackers can cause chaos and damage as they romp through hospital networks, which have their own special varieties of vulnerable endpoints.

The ransomware attacks that crippled Hollywood Presbyterian Medical Center in Los Angeles and Methodist Hospital in Henderson, Kentucky, weren't about pilfering confidential patient records. The intent was to bring these hospitals to a standstill -- which is exactly what happened. Medical staff couldn't access patient records, share surgery directives, or otherwise communicate with each other. Poor endpoint security and weak network protections made such successful attacks almost inevitable.

Health care under siege

Health care is intensely personal, both in patient disorders and their treatments, as well as in the interactions between patients and doctors, caregivers, and support staff -- most of which are documented and stored digitally.

But modern health care is also extremely technical. Specialized systems care for patients without moving them, robots perform actual surgery, and doctors rely on sophisticated equipment such as ECG, ultrasound, X-ray, CT, and MRI machines. These machines are computers, complete with operating systems, software applications, and network connectivity.

No one needs to launch a Stuxnet-like attack against a health care facility to disrupt medical care. A network worm can be equally as devastating.

Consider Conficker, the fast-spreading Windows worm that is believed to have infected more than 11 million machines since 2008 and is still successfully infecting unpatched Windows systems. Researchers in 2009 found that Conficker had infected more than 300 hospital devices, including MRI systems, across a dozen hospitals in the United States. Conficker also shut down an entire sleep lab in a New Jersey hospital in 2010, requiring all patients to be rescheduled and costing the hospital about $40,000 to recover from the infection.

Hospitals have found malware infections on medical equipment such as imaging devices, eye exam scanners, and electrocardiograph stress analyzers.

Even with the diversity of equipment and installed applications, health care IT has the same requirements as traditional IT to close off potential avenues of attack, says Dave Palmer, a retired member of British Intelligence agencies MI5 and GCHQ and current Director of Technology at cyberintelligence firm, Darktrace. Don’t forget that these organizations also have traditional enterprise systems to access payroll and accounting, communicate between departments, and support file-sharing and collaboration, as well as the challenges of employees and patients bringing personal devices into the facility.

“The typical health care facility is a complex IT environment,” Palmer says.

Denial-of-service attacks can be as disruptive to health care facilities as they are to any other organization. In 2014, a DDoS attack against Boston Children's Hospital made some online services, such as patient appointment scheduling, sporadically inaccessible. The circumstances around that attack were unusual because it was a protest involving a controversial custody case, but experts say DDoS attacks accompanied by ransom demands are on the rise. Attackers flood the networks, then promise to stop if the organization pays them to go away.

IT basics matter

Consider endpoint security in health care organizations. Keeping these endpoints up to date with the latest versions of operating systems, browsers, plugins, and installed applications is not a simple task. Some applications may rely on Flash or Java, which are commonly targeted by malicious adversaries.

A recent analysis by authentication provider Duo Security found that twice as many health care endpoints have Flash installed and three times as many have Java, compared to endpoints in non-health-care organizations.

The common recommendation -- to uninstall Flash and Java from client machines -- doesn’t take into account the fact that many custom applications within the sector require Flash or Java. Many popular electronic health care record (EHR) systems and identity access and management software supporting e-prescriptions require Java, for example.

A different analysis by Forcepoint found that health care organizations are 376 percent more likely to see Dropper (malware that backdoors compromised machines for further attacks) than non-health-care organizations.

Duo’s analysis also found that nearly half of health care providers use Internet Explorer 11 or older, exposing those systems to various attacks. Health care organizations are also more likely than other industry sectors to still have Windows XP systems. The presence of outdated software partly explains why health care organizations are more likely to see certain types of attacks.

“This type of landscape can cause the perfect cybersecurity storm,” says Grayson Milbourne, security intelligence director at Webroot.

Basic IT practices, such as asset inventory, patch and configuration management, and network security are critical in this kind of heterogeneous environment. A complete inventory lets IT know which systems actually run those applications so that IT can uninstall Flash and Java (and unused instances of custom applications) on the remaining systems.

Regularly patching and updating Flash, Java, the Web browser, operating system, and other applications ensures these security holes can’t be targeted by Web-based attacks. Many exploit kits target zero-day vulnerabilities in Flash and Java, so IT needs to evaluate which systems really require Internet access. Uninstalling the Web browser on machines that still need to be networked can reduce the possibility of infection via a Web-based attack. There is no good reason to have a Web browser installed on a machine monitoring fetal heartbeat, for example.

Lock down the network

Most devices in a medical environment are networked. Potentially thousands of devices proliferate in a large hospital, each type with different networking needs. While some specialized systems don't need to be on the Internet, many require network access to tap into patient health records, look up drug interactions, or send specific data to appropriate care providers.

But there’s no point to have workstations at nursing stations handle patient records on the same network as the workstations in accounting and payroll, nor should both databases run on the same server. Hospitals need to make it harder for attackers who have compromised a server to locate and access other valuable servers.

Segmenting the network to isolate more vulnerable machines means that even if the attackers successfully compromise them, they are limited in how far they can spread across the network. But that's only the first step.

The next step is privilege management and restricting access to files and systems. Not everyone needs access to all files on the fileserver. Doctors shouldn’t be able to get to the administrator console of the MRI machine. There shouldn't be a way to see a piece of radiology equipment, let alone access the console screen, from an HR workstation. If the doctor has administrator rights, then you can bet malware will be able to get those privileges, too. 

Network-connected medical devices must be secured so that an attacker on one side can’t jump to other networks or be able to use as a point of entry from outside. The number of devices -- easily in the tens of thousands in a large hospital -- means paying extra attention to physically securing the devices. It’s unlikely someone can stroll out the door with a CT scanner or an ultrasound machine, but it is easy to steal a laptop and use the remote software to access the network remotely.

Administrators must enable two-factor authentication where possible and make sure employees follow basic password policies -- such as preventing users from sharing passwords across applications or systems.

Health care organizations run a number of specialized, often customized applications. They are also increasingly adopting web, mobile, and cloud-based applications. Imperva’s annual report found that health care applications are likely to suffer 10 times more cross-site scripting attacks than applications in other industries.  

Nearly 80 percent of health-care-related applications contain easily avoidable cryptographic issues such as weak algorithms, says Chris Wysopal, CTO and CISO of application security company Veracode. Whether it’s a SQL injection flaw in the web application or an issue in how the application encrypts data, the consequences are equally serious.

Basic application security rules apply here. In-house applications should be tested for vulnerabilities, and many organizations are increasingly spending more on external security assessments and inserting liability clauses into contracts with software vendors, according to a recent HIMSS/Veracode survey. The reason behind these assessments is not due to increased security awareness, but because of liability fears. Regardless, it’s still a good step forward.

“Remedying the problem starts with a good look at how health-care-related software is built and making sure that security is a priority,” Wysopal says.

Changing the mind-set

Part of the security crisis in health care security is cultural. As long as the efforts of IT and security personnel are seen as less significant than that of medical professionals, conflict will ensue.

Security awareness is necessary -- but it must be balanced against the fact that much of the staff has demanding schedules and may be inclined to skip training.  

Health care’s rigid focus on compliance, especially the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is part of the problem. While maintaining patient privacy is important, the hyperfocus on maintaining compliance opens gaps in network and endpoint security. Recent attacks show that HIPAA compliance doesn’t mean much if employees are susceptible to social engineering and hand over their login credentials, as happened with the Blue Shield breach -- or if laptops containing employee records aren’t encrypted and get lost, or if computers running outdated software are vulnerable to web-based attacks.

The balance of power is lopsided in health care organizations. Despite the abundance of valuable data and technology, the bulk of the decision-making authority rests with doctors and medical personnel, not IT. At budget time, IT and security spending typically takes a backseat to buying new medical systems and hiring additional medical staff.

That needs to change. Without proper IT and security management, health care organizations will find their ability to offer quality care compromised.

Join the CSO newsletter!

Error: Please check your email address.

More about GCHQImpervaTechnologyThoughtWebroot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts