As many healthcare facilities are painfully aware, cybersecurity is far from a settled matter. But the last 2 years have brought encouraging signs of progress, says Anthony Catalano, a healthcare security management consultant for SecureState, a cybersecurity firm. Hospital leaders are increasingly recognizing the seriousness of the issue and making it a higher priority at their facilities. The US Food and Drug Administration (FDA) has issued a number of cybersecurity guidelines on their website. Still, Catalano says, balancing long-term security concerns against day-to-day needs and defining clear roles and responsibilities for staff remain ongoing challenges at many locations.
Catalano joined SecureState in 2013 after previous stints working in medical device implementation and telemetry technology development. A former premed student, he has tracked the medical field closely for many years. “My father is a physician, so this kind of stuff is dear to my heart,” he says. After switching his major to psychology in college, he put his background in network support and administration to use post-graduation by starting his own IT company. That experience proved valuable once he decided to focus his career on security and compliance issues. Catalano spoke to 24×7 about hospitals’ security blind spots, how hackers can exploit medical devices to cover their tracks, and the going rate for stolen private health records.
24×7: How would you characterize the current state of cybersecurity in healthcare, compared to other industries?
Catalano: In 2013, we noted that the medical vertical was one of the worst industry verticals in terms of information security. We did that by benchmarking them against 10 other industry verticals using a standardized control set that SecureState uses. In 2014, we saw them shift more toward the middle, to sixth or seventh. This year, they’re fourth or fifth. They’re actually getting better. The challenge we’re seeing with the medical industry is that they’re overly regulated, and they spend so much time trying to chase evolving regulations, and they have such small profit margins, that some of these initiatives are actually pretty challenging for them.
There has been dramatic improvement. I think it’s because the cost of personally identifiable information (PII) data has gone up dramatically. PII is anything that can identify a person—social security number, name and address, any kind of sensitive information that is protected by HIPAA. When a hacker steals a PII record, the cost is tracking anywhere from $150 to $1,000 per record on the hacker black market. Payment card industry (PCI, or credit card) data is selling for about $1 on the black market. The higher value of PII data is going to drive hackers toward that information.
24×7: What types of your facilities are your clients?
Catalano: We’re looking at anything from data centers that actually house healthcare information for hospitals to hospitals themselves. One trend we’re seeing with healthcare is that hospitals are decentralizing their structure. Instead of having all the physicians, physicians’ offices, and clinics in one location, facilities are kind of pushing them out. There are cost reasons associated with that, but they need to perform audits and maintain the security posture of those downstream providers as well.
24×7: What services does SecureState provide for hospitals?
Catalano: We do a full range of security consulting services, and obviously HIPAA is a big part of that. Typically, we identify all the deficiencies through a penetration test, and we’ll map what needs to happen tactically (short-term) and strategically (long-term). We give that plan back to the hospital and say, “These are the tasks that we believe you need to undertake.” They give us their feedback. Once we agree on a set of tasks, SecureState can engage in almost any capacity to further the security program as the organization sees fit.
We try to help organizations identify what initiatives they should be undertaking so they don’t fall into a cycle of short, quick-fix items. We do strategic and operational planning with organizations to help them discover if their security program is properly funded.
Because we’re engaged with so many other healthcare providers, we have the ability to perceive trends as they’re developing. We try to align security and best practices with what our customers are doing, and try to anticipate regulatory considerations and how they might evolve. And because we have so much experience with not just the healthcare vertical, but every industry vertical, we can see trends develop in the security industry and relay them to our clients and help them get ahead of the curve.
24×7: What sort of security loopholes do you see among hospitals that believe they’re being compliant?
Catalano: A lot of organizations do penetration testing. In the security industry, that’s how we identify vulnerabilities that are present in the environment. A vulnerability scan walks around the outside and looks in the doors and the windows and sees if there are any openings in the house that you could potentially exploit. A penetration test will actually go to the door that might not be locked properly and break the door down.
A lot of organizations think that when they perform a penetration test, then they’re safe. But what they fail to realize is that a penetration test is a scoped event. It doesn’t really give them full visibility into their security posture; it just demonstrates what a hacker might be able to exploit in 16 hours of testing. There’s a false sense of security that if you do a penetration test and then you fix what was found, then all of a sudden you’re a lot more secure.
24×7: What would those two tests look like applied to a medical device?
Catalano: If we did a vulnerability scan on a respirator that’s attached to the network, we might find that the respirator has a default username and password, that it doesn’t have an appropriate security certificate, and that a lot of the administrative controls are enabled—so you could log in to that device and change the time, or change where it’s reporting to on the network. In a penetration test, we would actually try to exploit those vulnerabilities. We would see if we could go change the time of the device, or attack the device so that it causes a denial of service (DoS). If you attack the device and flood it with information, sometimes the device will shut down.
24×7: What are some of the problems you’ve found in testing?
Catalano: A lot of issues we see with medical devices are that they’re not on safe and secured network segments, separated from the rest of the network. We had a live penetration test about a month and a half ago. Our profiling team was able to compromise the mammogram machine and see a live feed coming off of it. The point is that data was being transmitted in an unencrypted format across the network, and it should not have been set up that way.
The interesting thing is that there’s FDA guidance around protecting medical devices. They’ve issued this guidance stipulating that you should disable default administrative controls, change the passwords of the device, and put it on a safe network segment—but it’s not mandated. The FDA also stipulates that the manufacturers of the medical devices are the ones responsible for maintaining and patching these systems. Say you’re a hospital administrator, and you have 30 different types of ventilators or pumps on your network. How do you maintain 30 different manufacturers’ compliance? How do you maintain that they are all patching and effectively reducing your vulnerabilities, because it’s their responsibility? At the same time, if there’s a breach at the hospital, most likely it’s going to be your hospital that takes the heat, as well as the manufacturer. Both parties would end up being liable.
24×7: Is the challenge that hospitals aren’t focused on cybersecurity?
Catalano: They’re focused on it, but when you’re trying to integrate 30 different vendors that you need to make all their equipment work, the last thing you’re going to care about from an operational perspective is whether these devices are properly secured. You just want to make sure they work. A lot of times the focus is getting them working and keeping them from interrupting anyone’s potential health. When an example comes out that a life has been lost or someone’s health has been affected by a breach, it will bring a lot of attention to the issue.
We’re also seeing a trend where board of directors and CEOs are much more interested in security than they’ve ever been. Probably in the last 8 or 9 months, we’ve seen a huge uptick, which is very refreshing. They’re being educated as to the importance of this at industry events and conferences, and they’re being advised by their legal teams as well. As we see more breaches, it’s calling a lot more attention in general to what’s going on.
24×7: Are there any other risks associated with medical devices HTM departments should be aware of?
Catalano: The two major risks are obviously affecting someone’s health or stealing private information. There is legal exposure for the hospital and the personnel maintaining those devices.
I sat down next to a malpractice attorney on a flight a few months ago. She said, “We’re claiming the patient was injured, but we can’t verify the time that the injury occurred because the device didn’t have the right time.” I said, “That’s interesting, the device should have the appropriate time set. It should sync with the network.” And she said, “The IT person came back and said the time kept changing.” In the lab here at SecureState, we’ve actually been able to attack a device and slow the clock down, which would effectively manipulate the timeframe in which an event occurred. So if the device thought it was last night that something happened, but it really happened today, then you could potentially hide your tracks.
24×7: What steps can HTM departments take to support security at their facilities? Is it just an IT concern?
Catalano: Security is not an IT issue. Security is essentially a governance issue. IT and security have very conflicting agendas. IT wants to keep the lights on. They want to keep things running. Security doesn’t care about that—they want to make sure the device can’t get hacked into. If you have 30 new ventilators and the CEO of the hospital says, “I want these running tomorrow,” who’s checking security in that situation? It’s important to clearly establish roles and responsibilities pertaining to security, because if you give security to the operations guy, security is going to take a backseat.
We like to draw it out as a triangle. If you put security at the top of the triangle, you have operations in the bottom right corner, and in the bottom left corner you have audit. Security writes the responsibilities, procedures, roles, and policies for operations, and operations is supposed to follow those. Audit checks security to make sure they’re issuing appropriate security policies, but it also checks operations to make sure they’re following what security has delegated. You need that triangle of governance to maintain a secure infrastructure, and a lot of hospitals are missing that.
Anthony Catalano is the senior healthcare management consultant for Secure State. For more information, contact chief editor Jenny Lower at firstname.lastname@example.org.