A recent report from Independent Security Evaluators (ISE) entitled “Securing Hospitals: A Research Study and Blueprint” released at the end of February this year, points out some startling findings. While healthcare delivery organizations are highly focused on regulatory compliance issues regarding the protection of Patient Health Information (PHI), they are overlooking potential threats to actual patient health from malicious intruders.
The study itself involved a team of white hat hackers targeting 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 Internet-facing web applications. The results were surprisingly dismal, pointing to widespread problems within the healthcare industry on almost all levels – from staff to C-level management when it came to the issue of cybersecurity.
The findings concluded that lack of funding, lack of staffing, lack of effective training of staff, lack of defined security policies and lack of audit procedures were large barriers to implementing an effective cybersecurity program, although there were many others. As one example of the dangers of not training line staff in basic security measures, the study outlined what could be called a “USB-phishing” exercise. Eighteen USB keys with the hospital logo on them were scattered around one hospital in areas frequented by hospital staff. Within 24 hours, all of the keys had been plugged into a nursing station within the hospital, reaching far and wide across the hospital network. If malware had been on those keys, the hospital could have suffered a catastrophic compromise.
But, these findings weren’t altogether surprising. Healthcare organizations primary mission has always been serving the medical needs of their communities. In order to meet that mandate and keep the doors open, they must focus budget, training and time on staying in regulatory compliance. Regulatory compliance around security and data has usually meant things like meeting HIPAA and other patient data confidentiality regulations. However, this has now become a hospital’s “comfort zone”. They understand HIPAA and they understand they must put resources into staying in compliance. They “get” patient data protection.
Unfortunately, there are issues with this focus on patient health data. Being compliant with regulations does not equal cybersecurity. The focus on patient data means that other larger attacks surface within the hospital are left open to intrusion and compromise. Hospitals are “missing the boat” by focusing on only one area of potential attack - patient data.
The reality is that many HDOs simply do not understand who their adversaries are – and because of that - they woefully underestimate their adversaries’ motivation and ability to execute an attack against them. Often the current HDO strategy is to fortify against blanket, untargeted attacks on patient data by unsophisticated attackers. This approach might have been reasonably effective 15 years ago. But it’s not effective in today’s world.
In security parlance, this is called an “ineffective threat model”. In simpler terms, healthcare organizations do not understand who is attacking them, what their motivations are and perhaps most critically, how they can be attacked. Worse yet, they have not measured the potential impact of a successful attack on their patients, the hospital or the public. In the words of the study, they have “ignored the motivations and strategies that would be employed if targeting patient health.” As a result, a multitude of attack surfaces are left unprotected, as no consideration has been given to attack strategies that could result in harm to a patient. Without an effective threat model, healthcare organizations cannot understand how to prioritize their scarce resources to maximum security benefit. The end result is that large attack surfaces within the hospital organization remain open to compromise, leaving patient health vulnerable by those whose mission is to promote and protect it.
Obviously, patient health care data is valuable and must be secured for reasons even beyond regulatory compliance. But, patient health must have an even higher priority in our healthcare organizations.
For more information about our healthcare services, please visit our website or contact us to speak to one of our experts.
Article by Chana O'Leary
Sr. Security Consultant at OpenSky Corp (a TUV Rheinland company)
Ms. O’Leary is an experienced security architect with deep knowledge of enterprise security, architectures, application security, and threat modeling. She is experienced in advanced requirements elicitation techniques, vulnerability and attack surface assessment, PCI compliance security auditing and assessment. She is a former Lead Architect for KLM/Air France and was a Technology Manager with BearingPoint, BV.