GA HIMSS 2016

Cybersecurity was the topic de jour at the GA HIMSS Annual Conference in Atalanta this week as the author co-hosted a session with Dmitry Kuchynski of Cisco on the cyber threats and possible mitigations impacting hospitals, clinics and primary care facilities.

Richard Staynings and Dmitry Kuchynski received a warm welcome @ GA HIMSS

In attendance were an assembly of healthcare CEOs, CIOs, CISOs and other executives all keen to learn about the latest cybersecurity trends and threat intelligence, along with any tips, tricks and help they could receive towards planning an approach to protect their institutions and patients from cyber attack.

Healthcare organizations are being actively targeted by cyber criminals for the wealth of easily stolen PII and PHI information, and the relative ease at which healthcare networks can be attacked and breached. Hospital networks were designed to facilitate universal access by clinicians and support staff with little to no network or user segmentation. The result is that once the perimeter is breached, hackers enjoy universal access to virtually all information systems.

Ransomware was a big concern of attendees

The recent epidemic of ransomware which has plagued many US and overseas organizations over recent months was a huge concern to most attendees who wanted to know what they could do to protect against a ransomware attack on their institution.

While there are claims that ransomware is being used to target a specific company, health system or industry, that fact is that most ransomware attacks are indiscriminate in who and what they attack so long as the attack could generate payment for the perpetrators.

According to Cisco research, the Angler ransomware campaign alone resulted in over 300 ransoms being paid each day until Cisco and international law enforcement took down the criminal gang responsible. The gang was netting over $34m USD per year, which goes to show just how lucrative ransomware can be....for a while at least!

So was converging biomedical networks

Converging biomedical networks and the rapid growth of network-connected medical devices was similarly a huge concern for attendees representing hospitals and clinics, where the number of biomedical devices is growing exponentially.

Medical devices are just one aspect of a growing number of IoT devices attached to hospital networks that cannot be managed by group policy and other common tools for securing endpoints. Each medical device is proprietary to its vendor and many single-vendor systems can be incredibly unique. Despite guidance from the FDA and other bodies, both vendors and hospitals have been slow to tackle the medical device challenge as a previous post has examined.

Cisco has been helping many of its healthcare customers to manage and contain threats to medical devices and other IoT network-attached devices like hospital and clinic building management systems, by use of network security segmentation. By locking down access to and from medical devices on a least-privileged / zero-trust basis, segmentation helps to control the who, what, why and where of access to these largely unprotected endpoints, as well as containing any malware outbreaks to affected subnets - thus preventing a full system outage as some hospital systems have suffered recently.

With attacks against healthcare organizations on the rise, the industry faces some tough challenges over the coming years to balance the need to treat patients with the increasing need to invest heavily in security to protect those patients, and at the same time that reimbursement rates for treatment is declining. Regardless of whether healthcare institutions are being targeted for cyber attack or not, the fact is, that they represent a treasure-tove of valuable information for theft or extortion, and most are largely unprotected today.

As cyber criminals turn their collective attention to the easy money of ransomware, payers, providers, research and pharmaceuticals will increasingly come under attack. Putting in place modern day defenses like security segmentation is not something that can be done overnight. Developing a strategy and approach to cope with the new realities of conducting business today, is something that requires expert help and planning, and most importantly some lead time. All the better then to start that process now, rather than when under cyber attack where risks to patient safety go through the roof.



Postscript: Medical device security has been examined extensively in this blog and the need for adopting a different approach to securing healthcare data, and devices discussed widely. IoT security was also the subject of a recent HIMSS Security Community webinar given by the author.