Although incidents of cyber attacks are on the rise, healthcare has lagged behind other industries when it comes to implementing security measures. At separate sessions during the first full day of the AAMI conference in Denver on June 6, two speakers urged attendees to confront the issue directly and offered potential solutions.
Billy Rios, a cybersecurity expert and founder of Laconicly LLC, told his audience during the opening general session that taking a wait-and-see approach—or worse, actively burying their heads in the sand—is tantamount to “relying on the goodwill of strangers to ensure that they don’t hurt someone.”
“Be proactive,” he counseled. “The ‘we’d rather not know’ attitude has no place in healthcare.”
Rios has spent his entire professional life “attacking and defending computers,” he says. His parents purchased his first computer while he was still in middle school, in the pre-Windows days of MS-DOS. His resume includes stints catching hackers for the Defense Information Systems Agency, overseeing Internet Explorer’s security program for Microsoft, and working as a so-called security ninja at Google. While working on the “offensive” side, he uncovered and exploited security vulnerabilities, breaking into various company websites, software systems, and platforms.
Despite increasing pressure to sew up loopholes, hacking remains “very easy to do for healthcare organizations,” Rios says. All that is needed to exploit a system is a single device that can be used as an entryway. From that “lily pad,” or jumping off point, hackers “pivot” to other parts of the enterprise, rapidly escalating the attack both horizontally (expanding the number of devices accessed) and vertically (expanding their user privileges to the highest level). They locate the “key terrain” needed to access the data they want, such as an email server, electronic health record system, or patient-connected device. The final stage comes with executing an action—reading emails, stealing data, or manipulating a device.
“There are bad people in the world,” Rios says, a lesson that was driven home to him during his service in the Marines during Operation Iraqi Freedom. “You will face people on your network trying to get to your patients or your data or your devices who are better than I am.” Ultimately hackers want to get to patients, he said, by accessing their data or compromising their care. The only way to ensure that they don’t succeed is by coordinating the efforts of the three pillars of healthcare—the healthcare organization, the medical device manufacturers, and regulatory agencies. “Our strategy should not be built on the goodwill of strangers,” Rios said.
In a subsequent session 2 hours later, Mike Ahmadi, global director of critical systems security for Codenomicon Ltd, said that he often hears customers complain that they don’t have the resources to fix cybersecurity “bugs” that no one is complaining about. That attitude is a mistake, he warns. For example, in 2014, just 10 vulnerabilities accounted for nearly 97% of all exploits. Of the known vulnerabilities, 8 out of 10 were more than 12 years old, but had not been fixed.
One potential solution currently in the works is the Cyber Supply Chain Management and Transparency Act of 2014, introduced by Rep. Ed Royce (R-Calif). The law would require that all companies providing software, firmware, or other products to the federal government supply a bill of materials for all third-party and open source components used—what Ahmadi calls an “ingredients list”—and testify that the products contain no known vulnerabilities.
The industry is currently designed so that blame for breaches typically falls on hospitals rather than manufacturers, Ahmadi says. To some extent, that’s justified, he argues: hospitals rarely follow the security practices mandated by their cyber-insurance policies, such as regularly checking for and applying security patches or conducting due diligence on third-party provider security practices. Those failures can effectively void cyber-insurance policies, leaving hospitals on the hook for millions in damages. But efforts like the current legislation may soon push some of that responsibility back on to manufacturers.
Once hospitals are aware of vulnerabilities, they can take steps to fix problem systems by removing them from the network or placing them behind a firewall. But the first step is more basic, Ahmadi says: facing the problem.