Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason


Richard Staynings
Richard Staynings presents at the Canadian Conference on Physician Leadership
The challenges faced by Canadian healthcare in protecting the confidentiality, integrity and availability of the health and personal data of Canadian patients is great. But so too is the job of ensuring that healthcare IT systems and other critical infrastructure remains available to treat patients in today's IT-centric health delivery model, where system outages possibly as the result of a cyber attack, can mean life or death for a patient.

This was the subject of a workshop today at the 2017 Canadian Conference on Physician Leadership in Vancouver, BC, where many of Canada's top Physicians and Chief Medical Officers met to discuss many of the challenges and concerns facing the industry.

Participants learned not just about some of the cyber threats and risks being faced by healthcare in Canada and world wide, but also about some of the successes of other health providers to put in place effective, holistic security controls to block attacks and to protect personal health information, clinical research and other intellectual property from compromise.

As the leader of these workshops, I would like to extend my sincere thanks to everyone who attended and contributed to the debate. Canadian healthcare took a giant step forward today in recognizing, not just how much the industry needs to catch up with the better funded banks and other financial institutions, but also in understanding that cybersecurity is a business risk in which clinicians play a critical and leading part in helping to secure vital IT systems from attack.

A copy of the deck presented today can be downloaded here.

A Slippery Slope?

Like many cybersecurity professionals, I was somewhat pleased to finally read about the sentencing of convicted Russian cybercriminal Roman Seleznev to 27 years imprisonment by a US court. While this sets a new precedent in the sentences handed out to cybercriminals, many of whom have cost banks and retailers billions of Dollars, Pounds and Euros in losses, and forced other businesses to close up shop entirely, the case raises some interesting legal, moral and political questions.

Should it be the role of the United States judiciary to police the Internet and prosecute perpetrators of cybercrime, many of whom, reside in parts of the world outside of accepted standards of functional law enforcement. And if so, what lengths should be considered internationally acceptable for US law enforcement to go to, in order to capture, or apprehend individuals for future prosecution, when those individuals are discovered in, or transiting through, other countries, with whom the United States has no extradition treaty?

This was plainly the case in the apprehension of Seleznev who was vacationing with his family in the Maldives – a country with no extradition treaty with the United States. Yet, he was detained, handed over to US law enforcement officials, who then took him against his will to Guam, and onto Washington State where he was charged under US law for his crimes in the United States having never (as far as we know) even visited the country. Essentially, this is a non-US citizen, kidnapped by US law enforcement officials, in a neutral third country, and forcibly extradited without warrant to the United States to face charges for crimes allegedly perpetrated in that country.

Don’t get me wrong, I’m all for the arrest of cyber criminals and the imposition of long deterrent sentences to keep them off the cyber streets. I'm also keen for this to send a message to other (young) wannabes that cybercrime doesn’t pay. My concern is one of the basic rule of international law and whether this could one day back-fire against the United States.

I’m no lawyer but if due process was ignored in the apprehension of this individual then he’ll be out of jail on a technicality very quickly when this goes to appeal. If the intent was to use Saleznev as a bargaining chip with the Russians, then that raises a whole different set of questions, and this entire case moves more towards a political abduction / ransom  scenario.

While Seleznev, the son of an influential Russian politician, was plainly protected in Russia from prosecution by the country’s barely functioning legal system, and by his father’s close friendship with Vladimir Putin and contacts at the FSB, does the United States have a moral, ethical or legal right to enforce its laws half the way around the globe in countries where it has no legal jurisdiction and against citizens of other nations? Does the United States regard itself as the Internet judge, jury and executioner for electronic crimes?

Few would dispute the morality of the lengths undertaken to bring to justice a mass-murderer like Osama Bin Laden by the US military, but does this morality extend to perpetrators of financial crimes, and, if so, where do we draw the line?

Jeff Fridges raised some interesting questions in his comments to Brian Krebs story of the sentencing of Roman Seleznev and while the scenario Jeff paints might be considered a little far fetched, let's not forget that we have seen these kind of event-chains in the past. No one expected the Spanish Inquisition, and few predicted the rise of the Nazis, Kim Il Sung, Mao Tse Tung, or Stalin.

I’m bothered that the US apparently feels it has jurisdiction over the entire Internet, and can arrest anyone ‘anywhere in the world’ who violates ‘US law’ online.

Sure, this guy was a crook … but what about the next guy?

Consider this scenario. Street violence by right-wing militias in the US gets worse over April and May. Early in June, someone caps Trump. Pence becomes President and at the same time the assassination spurs a huge mobilization of Trump’s right-wing base. By the time everyone’s heads have stopped spinning, it’s martial law, draconian new legislation is being passed by the Republican congress (dominated by Tea Party evangelicals) and rubber-stamped by Pence. A Supreme Court stacked with ultraconservative Christian judges (Gorsuch, et al) looks the other way as the Constitution is put to the torch. Trade unionists and Muslims are rounded up and “disappeared” or deported, after which a purge of Hispanics begins — later it will be the Jews, though until the new forces have cemented their power thoroughly they and their powerful lobby and bankster friends will be left alone or even, for a while, convinced that “this time won’t be like the last time” for them.

By December the US is a de-facto fundamentalist Christian theocracy. Free speech is outlawed. Non-Christian religions, the teaching of evolution or climate change, p0rn, etc. are all outlawed.

And the US continues to act as if its borders contain the entire Internet.

Now someone in Cambodia blogs about climate change, or a European scientist publishes online a paper about evolutionary biology. Plenty of websites exist for mosques, synagogues, Buddhist temples, etc., run out of various corners of the world. And of course the net is awash in p0rn.

Do the proprietors of all of these websites start getting rounded up and renditioned, “extradited” to the US? After all, though they’re not inside US borders, what they are doing is illegal under US law and they are doing it online …

Now are you worried?
[end quote]

Regardless of who’s in the US White House (or Mar-a-Lago) and lets face it, Washington is a revolving door every few years, the questions that Jeff raises, and the scenario he paints, needs further discussion rather than simple dismissal as being radical.

While the United States with its overwhelmingly superior military might, has been the global policeman for many years, is this a role that the US intends to formally expand to the policing of the Internet, and is this a conscious decision as agreed by elected leaders and set in policy and law, or one brought about by the independent actions of US law enforcement officials frustrated at the failure, or lack of functional legal systems in other parts of the world. Legal systems rife with corruption, where cyber criminals can “live big” and publicly boast about their activities as Seleznev did, (till now) safe in the knowledge that the right people have been paid off, and that they are immune from prosecution?

Did the United States make a conscious decision to go to war and militarily occupy South Vietnam, or was it a political slippery slope driven by a succession of events and decisions from which it became increasingly difficult to turn back?

“Those who don't know history are doomed to repeat it.”
- Edmund Burke

Perhaps an examination of historical events is necessary to attempt to understand where this action could lead, and if it is the right type of action to address the policing of the Internet globally.

Securing Medical Devices - The Need for a Different Approach - Part 2

This is a two-part story. The first part can be read here.

I recently met with the CIO and CISO of a large US healthcare system to chat about how the system was going about securing its 350,000 network attached medical devices. They were busy assessing and profiling all of the disparate devices from a multitude of different vendors that the pre-merger, independent hospitals had purchased over the past twenty years or so. The Health System had multiple teams of third party vendors from many of the big names in bio-engineering, working with its own IT team to review configurations, firmware and OS/ application versions, and to make updates where necessary in order to improve the security posture of these devices.

The CIO however was greatly concerned by the number and churn in these devices – given warranty replacement units and new devices arriving at hospitals seemingly on a weekly basis. He was concerned whether they would ever be able to get in front of their hardening project, and whether reconfiguration and lock-down would ever really secure these network attached systems at the end of the day.

After listening carefully to his plan and all the activities he and his CISO had sanctioned, I suggested cautiously, that perhaps the health system was on the wrong path. My argument was that they would never be able to keep up with and manage 350,000 disparate biomedical devices, growing by twenty percent per annum, using a strategy essentially designed to manage PCs and workstations. One where domain level tools could be used to patch and configure the vast majority of endpoints. The manpower requirements alone I suggested, would consume his entire IT team’s bandwidth and budget at some point, if not very soon.

I suggested that he abandon entirely all thoughts of securing individual endpoints by locally hardening devices, and by disabling services like TFTP, FTP, TelNet and SSH, that many of his medical devices had left the factory with enabled, and instead look at other control points to secure those devices (compensating security controls) that would enable much higher levels of automation, and reduce the margin for human error that a manual process would inevitably lead to.

I suggested that he use his network as the control point rather than attempt to manage so many individual endpoints. By enabling TrustSec - a built-in access system in his newer Cisco switches and routers, he could lock down each endpoint device whether wired or wirelessly attached to the network, and control in a uniformed manner, which ports and protocols each device could communicate on, which users could administer each device, and which other devices each medical device could communicate with, i.e. specifically authorized canister, gateway or clinical information systems only…. and nothing else!

By employing ISE (Cisco Identity Services Engine) to set access policy, which would then be enforced by TrustSec, (something that was already being used to manage guest wireless access), the health system could create uniform enterprise policy implementation across all sites and locations, and avoid the need for possibly hundreds of firewall engineers to write and update access control lists in switches, routers, and firewalls. What’s more, rules written in ISE could be written in easy-to-understand business language, rather than complex access control syntax for direct entry into infrastructure devices by firewall and network engineers.

Furthermore ISE could be used to profile each of model of medical device, such that a profile could be developed and assigned once for each model, and applied globally across the entire enterprise of 350,000+ medical devices, thus automating security for the almost un-securable!

I continued, “What’s more, the same profile you assign to a medical device in one hospital, is used for a similar device in another hospital so long as its all part of the same ISE domain. Thus you can more effectively manage your medical device asset inventory across hospitals, by assigning medical devices when and where needed rather than to tie up money in unused assets in each location.”

“In other words” I explained, “Using ISE and TrustSec, you can provide your users with dynamic segmentation capabilities such that you can take a medical device (or truck load of medical devices) from one site to another site in need of those devices, (for perhaps local disaster management), and have those devices immediately recognized by the network and assigned the right access permissions as soon as they are plugged in or otherwise connected to the network. No need to engage a firewall or network engineer to add MAC addresses to an ACL (access control list) at 2am in the morning – just plug it in and it will work!”

Essentially you will have an enterprise-wide dynamic automated user and device access system, that is enterprise policy-driven in easy to understand language (versus firewall and switch syntax), that will actually save your biomed team money because they can run a minimal asset inventory across the entire health system. What’s more, in so doing, you are actually securing the un-securable and protecting medical devices from attack, as well as protecting the main hospital business network from being attacked from an easily compromised medical device.

A large number of leading US healthcare delivery organizations are already using ISE and TrustSec to secure their medical devices, research and intellectual property, PHI, PII and other confidential information, by security segmentation of their networks and IT systems. Many are working towards micro-segmentation at the individual device level. Many more are using the same segmentation approach and technology to isolate their PCI payment systems, their guest and contractor network access, and for network access quarantine to perform posture assessments on laptops and mobile devices re-attaching to the network after being used to treat patients in the community.

For more information on this approach, read Cisco’s Segmentation Framework and the Software-Defined Segmentation Design Guide.

For information about how Cisco’s Security Advisory Services can to assist you to design secure segmentation in your environment, please review Cisco's Security Segmentation Service or contact your Cisco sales team.

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Securing Medical Devices - The Need for a Different Approach - Part 1

It’s hard not to notice a growing collection of medical devices whenever you visit a hospital or clinic. They surround today’s medical bed, almost like a warm scarf around a bare neck on a cold winter’s day. If they weren’t there you would wonder why. They provide all kinds of patient telemetry back to the nurses station: O2 sat levels, pulse rate, blood pressure, etc. They provide automatic and regular administration of medication via pumps and drips and oxygen dispensers. The medical bed itself tracks patient location across the hospital as the patient is wheeled to and from the OR, imaging or other specialties.

What is not recognized however, is that the number of medical devices employed in the delivery of care to patients is currently growing at almost twenty percent per annum globally. What's more, this growth rate is increasing. For the BioMed staff that has historically been responsible for managing them, it’s an almost impossible task. One that gets more difficult by the day as more and more devices are plugged in or wirelessly connected to the network.

The problem as far as risk is concerned, is not just the growth of these standalone devices and the difficulty managing so many, but the fact that these systems, many of which are critical to patient well-being, by and large have ALMOST NO BUILT-IN SECURITY CAPABILITY. Nor can they be secured by standard compute endpoint tools like anti-virus / anti-malware. They are a huge vulnerability, not only to themselves, but also to everything else attached to the network on one side of the device, and the patient on the other side.

Standalone medical devices are designed, built and FDA approved to perform a very narrow and specific function, and to do so reliably for long continuous periods of operation - unlike a Windows PC, which sometimes appears to have been designed to work for a month more than its manufacture warranty! Medical devices tend to stop working when subjected to things outside of their design parameters. Things like multicast network traffic caused by worms, viruses and other malware. Things like ICMP, NMAP and other network traffic used to illuminate, query, or profile devices perhaps by attackers. What’s more, medical devices are rarely retired and withdrawn from service, which means many hospitals are still using devices designed and built twenty years ago – at a time when Windows 95 had just been released and most of us weren’t even on the ‘World Wide Web’ as we called it then! How could they POSSIBLY be secured and prepared to defend against the types of cyber attack we see today?

Many standalone medical devices leave the manufacturing plant with all kinds of security vulnerabilities – many open TCP/UDP ports, and numerous enabled protocols by default like TFTP, FTP, Telnet. Most of these are highly vulnerable to attack. In June 2013 DHS tested 300 medical devices and all of them failed basic security checks. In 2015 we had 'white-hats' demonstrating hacks of implantable medical devices (IMDs) live on stage at security conferences. Since this time several popular medical pumps have been very publicly exposed for the ease at which they could be compromised by an attacker. (Some manufactures have issued recalls and firmware upgrades but not all.) If one of these pumps were employed to administer at a gradual and regular level, for example, pain medication such as morphine or perhaps insulin to a patient, what damage would be inflicted upon that patient if the pump was hacked and told to administer its entire medication all at once?

While older standalone medical devices were built to run on obscure, custom, often hardened UNIX operating systems, or even eProm, many of today’s mass-produced, quick-to-market commercial devices run on Windows 9 Embedded – nothing more than a cut-down version of the hugely vulnerable and highly insecure Windows XP operating system.

Windows Embedded is subject to many of the same vulnerabilities and freely available exploits as the regular Windows XP operating system. A targeted attack against modern medical devices is thus relatively easy given a mass of known and proven exploits. Yet we continue to attach insecure, unprotected pumps and all kinds of other devices with the potential to do damage to patients, knowing that at any time a nefarious hacker or almost innocent intruder could turn the device into an execution tool.

Just because it hasn’t happened yet, doesn’t mean to say that it won’t happen today… or perhaps tomorrow!

Read Part 2 of this blog.

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.