What comes to mind when you think of a breach? If you’re like most people, you think about credit card data and stolen financial information. What you likely don’t think about immediately is breached medical devices, leaked healthcare records, and other data about your medical history.
Over the last few years, attacks against healthcare institutions have become more prevalent. Driving this are several factors, including the dramatic drop in the value of stolen credit card data and the relative ease with which attackers can breach healthcare institutions. All of these attacks have thrust the healthcare industry into the spotlight, and what we’re finding isn’t good.
Let’s discuss the looming perfect storm that I believe is going to cause grief and disaster, both locally and on a national scale, in the coming years in healthcare IT — and what we can do to minimize the damage.
The state of modern healthcare infrastructure
Many of us in the cybersecurity space have warned of the issues in healthcare IT for a long time. From old computer hardware and unpatched operating systems to patchworks of old and new software, not to mention hundreds of different hardware vendors across a single infrastructure, healthcare organizations have very complex environments making the task of securing them a hard job. We’ve been told hospital IT systems run on tiny budgets because hospitals and healthcare run on razor-thin margins. At the same time, hospitals are one of the places that especially can’t afford an IT infrastructure disaster because people’s lives are literally at stake.
Let’s start with infrastructure. In general, healthcare IT has accrued technical debt for more than 25 years. Everywhere you look, whether it’s at the doctor’s office, hospital, or an urgent care facility, you see disparate and often dated IT systems. It’s not as rare as you’d think to see WindowsXP–based computers at the check-in desk and throughout the facility. Many of the most common pieces of equipment and attached computer systems run outdated operating systems, unpatched and archaic software, and have little security on them. I promise you it’s not for lack of trying by the IT and cyber-security team.
So much outdated software exists largely because the vendors that support these systems focus on the healthcare aspect, rather than upkeep and security. In other instances, some devices were never intended to be connected to a network — thus rendering them vulnerable to remote attacks because they aren’t configured to be protected from network-based attackers. Finally, there is certainly some “if it ain’t broke, don’t fix it” mentality. Walking around you’ll find computer systems under people’s desks that have served a single purpose for a very long time. So long in fact, that the healthcare professionals utilizing that platform have no idea how to update it or who to go to for that request. Other platforms are so sensitive that they are nearly impossible to take down for maintenance, and so the can is kicked down the road.
Having been a part of modernization projects, I can personally attest to how difficult it is to replace working systems with more modern equivalents. Compatibility issues with peripherals or third-party software, institutionalized knowledge of how to navigate the operating system or software, or the loss of productivity from introducing a change can cause significant problems. Entire departments push back on upgrades out of fear of loss of productivity and the need to re-train staff. In several cases, I can recall the software or peripherals in use simply did not have an upgrade, and the existing device or software wouldn’t work with a modern operating system. These factors in play, IT was stuck having to make exceptions. And we all know that exceptions pave the pathway to disaster.
The opportunity for attackers
We now have attackers turning their sights on healthcare IT. Amid all that technical debt, there are an unfortunate number of ways to hurt healthcare organizations. Attackers can disable systems with ransomware; they can steal information about patients, or corrupt critical systems, and in a worst-case scenario, they can directly attack life-sustaining systems to cause loss of life. There are many vulnerabilities to be concerned about.
Attackers are turning their sights on healthcare IT not just because it’s vulnerable, but because this is where the high-value data is at the moment. As the value of a credit card record falls on the dark markets, the cost of an identity, complete with medical records, skyrockets. A person can get a new credit card easily enough, but it’s impossible to get a new medical history. Whether the result is medical blackmail, healthcare fraud, or more advanced forms of identity theft, healthcare information is valuable and it’s abundant.
As a final thought, personal medical devices are under siege as well. It’s been proven that devices such as insulin pumps, pacemakers, and other medical implants have exploitable vulnerabilities. While we aren’t seeing wide exploitation of these types of vulnerabilities — yet — it feels like a story about a high-profile attack is just around the corner. Every piece of medical and healthcare IT is under the magnifying glass, and attackers are looking carefully.
Modernizing healthcare security
It’s easy to point fingers, but that’s unproductive. The path forward must be well thought out to address today’s issues, minimize the damage of technical debt, and prevent ourselves from amassing more technical debt in the future.
Healthcare IT modernization is a must — but healthcare IT must balance the desire for more modern technology against the need to retrain workers, incur downtime, and break functionality. Striking a balance is difficult. When cybersecurity teams can’t protect devices directly by configuration or security agents, network segmentation, packet and traffic analysis, and advanced analytics are a must. Some devices are not able to be installed on the EDR platform of choice, but security teams should have eyes and machine analytics on that network segment, for sure. Maybe IT can’t take that WindowsXP system off the network, but they can put in compensating controls to minimize risk and damage.
We’re here, and how we got here is a long, convoluted, and perilous journey. Healthcare is under full-time assault; data is stolen, systems are compromised and patients put at risk of identity theft, or worse. We got here through a long series of unfortunate events, with many players involved. How we’ll get out of it is by working together as vendors and experts, by reducing technical debt, and focusing on innovation and patient safety.