Last August, when Community Health Systems, Franklin, Tenn, disclosed that hackers had stolen the personal data of 4.5 million of its patients, Mike Ahmadi was not the least surprised. The healthcare sector, says Ahmadi, global director of medical security at Internet security firm Codenomicon, Saratoga, Calif, features a vast array of networked devices and valuable, electronically stored health records. That makes it a tantalizing target for cybercriminals.
What did surprise him, Ahmadi says, was the news that the thieves, from China, had accessed the data by exploiting the OpenSSL “Heartbleed bug” his firm had discovered last March. When Codenomicon publicized the flaw, he recalls, “there was this huge outpouring all over the world, and everyone was saying how important it was to fix it.” Then, predictably, the enthusiasm died down. “And as time went on, and as organizations weren’t breached,” he says, “a lot of them decided they didn’t need to worry about it.”
The specifics of what happened at Community Health Systems, including the question of how quickly the company and its vendors made the recommended fixes to its networks, are a topic for another article. Nevertheless, Ahmadi says, the lesson here is that healthcare facilities need to up their game—now. “Because this is just Heartbleed. And while Heartbleed is big, and I believe that every single healthcare system in the world has significant exposure to its vulnerabilities, it’s really just the beginning. It’s the tip of the iceberg.”
A Lucrative Market
Mike Ahmadi is hardly alone in sounding the alarm. An April 2014 notice from the cyber division of the FBI, for instance, predicts that criminals “will likely increase cyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.”1 The healthcare industry “is not technically prepared to combat” these attacks, it says.
The EHR issue is of particular concern, agrees Jeff Kabachinski, director of technical development at Aramark Healthcare Technologies, Charlotte, NC. If you’re a hacker, he notes, you see that “transition date getting closer”—the deadline is January 2015—“and as it does, you’re watching more and more healthcare IT systems go online, and you’re basically just watching your market expand.” A related concern, adds Jay Radcliffe, security consultant at Rapid7, El Segundo, Calif, is that once attackers start delving into the medical arena, “you’re talking about hacking devices that don’t just hold user data and financial information, but they’re actually attached to people.” A hacker may or may not intend to physically harm a patient, but in the process of getting what he wants, he could. “And that’s a very scary scenario.”
Prior to the breach at Community Health Systems, 2014 had seen just 14 reported healthcare networking hacking incidents compromising the patient data of 500 or more individuals.2 Far more common were breaches resulting from things like lost or stolen laptops, or faxes or emails sent to the wrong people. In most of those cases where equipment was stolen, meanwhile, it was the device itself that the thief wanted, and the “exposure” of personal data did not result in serious consequences for the affected patients. Bottom line: The intentional pilfering of protected health information is a relatively uncommon occurrence, and the pilfering of that information via hacking is even less common.
Still, says Anthony Catalano, senior advisor at information-security consulting firm SecureState, Cleveland, if you think that means you can just focus on “what really matters,” like getting your devices to work and interoperate in the hospital environment, you’re wrong. His work has him visiting hospitals and conducting penetration tests on their networks “to see what’s vulnerable” to attack. “And consistently, we’ll find machines that aren’t protected properly.” He and his team have found vulnerabilities in pacemakers and insulin pumps, for example, and they recently intercepted patient data as it was transmitted by an MRI scanner.
That kind of news, as disturbing as it sounds, is actually good for a facility to hear, since it can then take action to shore up its defenses before an attack takes place. Rules outlined by the Health Insurance Portability and Accountability Act require healthcare organizations to take patient privacy and security seriously. Stiff fines may be levied on any facility that hasn’t conducted thorough due diligence prior to a breach. It may be “impossible to eliminate all of the attack vectors” a hospital might face, Catalano says, but if you do what is prudent and follow industry best practices, “you’ll eliminate liability while also getting the most protection you can.”
So what are those best practices? And what, exactly, should your priorities be? The experts 24×7 spoke with all agree that cybersecurity is an amorphous beast. As Ahmadi puts it, “something that is secure today will not necessarily be secure in the future.” Technology changes, and the problems that come with it, change as well. “It’s like the human body. You might go to your doctor and get a clean bill of health, but that doesn’t mean you’re done. There are things you have to do throughout your life to remain healthy.” Viewing cybersecurity as an evolving process, Ahmadi says, may be the best thing you can do to stay one step ahead of the hackers.
Best practices, then, necessarily change with technology itself, and depend in large part on the devices and networks that are part of your system. That said, the series of standards known as ISA/IEC-62443 is considered the authoritative resource on cybersecurity3; and organizations like AAMI (aami.org), MDISS (mdiss.org), and HIMSS (himss.org) are all actively developing security-related best-practice documents as well. Becoming involved with one or more of these groups is a great way to keep informed about the latest security-related developments in the industry, Ahmadi suggests.
Beyond that, experts say, the most important thing a technician or engineer on the front line can do is go back to square one. “Nothing else matters if you don’t have the basics down first,” Kabachinski says. “You can firewall all you want, do all the penetration testing in the world, and if you share your password with the wrong person or open that attachment in your email,” it may all be for naught. “If you get a call at your desk from someone saying, ‘Yeah, this is Joe from the IT department, and I’m doing this and this and I need your password,’ don’t fall for it.”
As a tech, Kabachinski notes, “you’re going to run across patient data. The key is to do no harm when you do.” Don’t use the same passwords on different sites, he says, and if you’re using a laptop “that the biomed department has online to look at what’s happening on a network, don’t be playing games on it or using it to check your email.” When you do so, he says, you’re offering an entry point for criminals.
Suzanne Widup, senior analyst on the Verizon Enterprise Solutions cybersecurity RISK Team, agrees: The “glaringly obvious things,” like failing to change default passwords, typically present the biggest threats. “We see it all the time,” she says. “Vendors come in and they’ll have a standard way of doing things, and security isn’t always at the top of their list of concerns, so they’ll use very simple passwords”—like “vendor name-customer name.”
Leaving a combination like that in place is like holding the door open for thieves, Widup notes. “If they guess it, they’ve basically got the keys to the kingdom.” Both Widup and Kabachinski stress that the best way to avoid many of the headaches associated with the theft, loss, or misplacement of medical devices containing patient information is by using encryption. “If it’s encrypted,” Kabachinski says, “the data is safe.”
The Bigger Picture
Beyond those simple yet often-overlooked measures, top-notch cybersecurity is typically attainable only with the backing of leadership. The best-defended facilities, like Methodist Hospital of Southern California, Arcadia, Calif, where Anthony Coronado is biomedical engineering manager, hire outside consultants, conduct thorough risk assessments, produce lengthy reports that are delivered to administrators, and ultimately develop comprehensive risk-management plans.
“Around 70% of our medical equipment is networked in some fashion,” Coronado says. “So our mitigation plan basically locks everything down.” The process, which is ongoing, involves close collaboration between IT and biomed, and involves asking one simple question about every piece of equipment in the facility, he explains: “Does it transmit, store, or maintain any electronic information?”
If the answer is yes, he says, “we go through a 57-question risk assessment that details every aspect of the vulnerabilities associated with that device. Is encryption needed? How do we transmit the data? How is it stored, and how is it backed up? Who has access to it? We look at the passwords, we update unique log-ins,” and much more, he says. The bulk of the work was completed 2 years ago, Coronado says, and he now believes that Methodist’s medical device network is secure. (In 2013 the facility was recognized by the ECRI Institute for its cybersecurity protocol.)
Still, networked devices require software updates and patching, and new equipment comes in, and working with vendors on security-related issues can be challenging. Most of their equipment works on the no-longer-supported Windows XP, for example, so they’ve had to call vendors to “see if it’s OK if we update the operating system,” Coronado says, “to make sure the software will still work. You have to communicate with each one, one by one, and that takes a long time.”
It’s those vendors, in fact, who biomeds like Coronado and security experts like Mike Ahmadi would most like to see take the lead in the healthcare industry’s fight for cybersecurity. Coronado says he’s lobbying the FDA to mandate “that all vendors make equipment that is secure-network ready.” Ahmadi, for his part, suggests hospitals insist that manufacturers provide them “with products that have security built in,” and then test those products themselves to independently verify manufacturers’ claims. “Device makers will always tell you their products are secure,” he notes, and maybe they believe that’s the truth. “But are there processes in place for continually testing” that security, to ensure those devices remain secure for years to come?
Questions like that are something Michael McNeil, global product security and services officer at Philips Healthcare, Andover, Mass, says he thinks about all the time. “We know there are bad guys out there. We know there are threats and potential vulnerabilities. So security is critically important to us, and it’s built into our product-development process.” Philips, McNeil says, “proactively” works with the FDA, the FBI, the Department of Homeland Security, and industry organizations “to understand exactly what those threats are.” The company also discusses potential vulnerabilities with its customers and provides information and training on how those vulnerabilities should be addressed.
Philips’ overarching message, he adds, is that “everybody has a hand in the process,” whether it’s the manufacturer, industry groups, the biomeds and clinical engineers, the IT department, or an individual facility’s leadership team. “Everyone has the ability to increase the overall security of the medical-device ecosystem.”
Philips, McNeil says, will continue to work with regulators and utilize best practices and revamp its products as security issues demand, but it will also ask that its customers remain vigilant. “That, I think, is critical. You can purchase our products and incorporate them into your system in the most secure manner possible,” and yet hackers, inevitably, will find new ways to attack. His message, therefore, is simple: “Stay active, and keep up to date on the latest software and releases.” And finally, keep your eyes open. For as Rapid7’s Jay Radcliffe points out, “When something doesn’t seem right, it probably isn’t.”
Chris Hayhurst is a contributing writer for 24×7. For more information, contact editorial director John Bethune at [email protected].
1. FBI Cyber Division. Health care systems and medical devices at risk for increased cyber intrusions for financial gain. April 8, 2014. Available at: https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf. Accessed September 4, 2014.
2. US Department of Health & Human Services. Breaches affecting 500 or more individuals (breach search tool). Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. Accessed September 4, 2014.
3. ISA 99. ISA99: Developing the vital ISA/IEC 62443 series of standards on industrial automation and control systems (IACS) security. Available at: http://isa99.isa.org/ISA99%20Wiki/Home.aspx. Accessed September 4, 2014.