The Growing Rural Healthcare Cybersecurity Crisis

Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital or ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report.

As recently as this month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural providers face many challenges: finances, through rural depopulation and a disproportionate number of rural patients on Medicare and Medicaid, general resource constraints, and huge difficulty attracting and retaining nursing, physician, and other staff. Most notable of these is the lack of trained and experienced cybersecurity staff to protect rural providers from an increasing volume of cyberattacks.

These hospitals run on a small number of IT generalists and often find it difficult to patch systems in a timely manner, let along obtain the budget or expertise to implement the latest security tools and services. Many operate on end-of-life computer hardware and medical devices no longer supported by vendors. Compared to urban providers these hospitals are an easy target for criminals and are frequent victims of PHI breaches, ransomware, and other attacks.

Like their urban cousins, rural hospitals are undergoing a digital transformation to new clinical and IT systems. This involves the addition of more medical and other IoT systems including connected building management systems for HVAC, elevators, proximity door locks, CCTV cameras, and Pyxis drug cabinets. These systems dramatically expand the cyber threat surface and unless secured and maintained, can significantly elevate the risks of attack. But rural providers often lack the specialist skills to safely manage these systems. That is perhaps why, many are turning to a combination of Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) to effectively outsource security and much of IT.

MSPs and MSSPs will manage a large number of hospitals at the same time and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.

Read More

What Keeps Healthcare Security Leaders up at Night?

In these trying times of COVID-19, the cancellation of elective procedures and the general population "avoiding the Doctors Office like the Plague", it's no wonder that hospitals and other HDOs are furloughing staff and tightening their belts. But what does this mean for hospital cybersecurity programs?

The impact of COVID-19 on the healthcare industry has been perhaps been even more dramatic than the transportation and tourism industry, with airlines and hotels going bankrupt all over the world. Both industries have suffered a massive downturn in their traditional business and both have had to quickly pivot to the new reality of conducting business during a global pandemic. But unlike travel and tourism, healthcare has been in the forefront of a treating those infected with the SARS-CoV-2 and dealing with massive levels of disease control, while minimizing those on-site.

At the same time the delivery model for healthcare has drastically changed from on of principally elective procedures and screenings to a model where 90% of business, outside of ICU services for COVID-19 patients, is now conducted remotely via telehealth. In fact, healthcare is widely considered to have undergone the greatest single digital transformation of all time and all within the space of a few weeks, while most IT and security staff were forced to work off-site.

We are condemned to live in interesting times

Cyber-criminals know this too and have plied their craft without let-up since early March with a proliferation of spear phishing campaigns targeting often overworked healthcare staff, many of whom are now working alone from home.

But these are far from the only challenges facing the industry and those whose job it is to secure the systems, data and patient safety so vital to the delivery of healthcare services. Hear from four leaders in the healthcare security and technology space as they discuss the issues facing the sector and offer up some options and effective approaches

• Richard Staynings, Chief Security Strategist at Cylera 
• Christian AbouJaoude, CTO at USC Keck School of Medicine. 
• Esmond Kane, CISO at Steward Health 
• Brett Cattell, Director of Systems at Robin Healthcare

Read More

Understanding Medical Device Security

The FDA recall of a medical device last week has caused a bit of a media storm as the general public scrambles to find out more. The fact that a medical device meant to help sustain life is insecure and could be hacked to kill a patient is alarming to all of us. More worrying is that the medical device subject to the recall, a cardiac rhythm management product, or “pacemaker” to the rest of us, is probably not an anomaly. Many other medical devices more than likely also lack adequate security.

To understand the risks, we first need to understand the problem. To be honest, this could require an extensive series of blog posts over weeks to fully examine and explain this properly, but here’s the 50,000-foot version.

Different types of medical devices and the risks they pose

First, there are the implantable medical devices (IMDs) like the medical pacemaker at the center of this story. This group of medical devices includes the implanted insulin pump that security researcher Barnaby Jack hacked live on stage at the Miami Hacker Halted Conference in 2011, reconfiguring the device to deliver a lethal drug dose. It also includes a pacemaker that was hacked, again by Jack, at the Melbourne BreakPoint Security Conference in 2012 to deliver a lethal 830 volt electric shock to a patient.

Second are the much wider range of network-attached medical devices used in healthcare delivery. These include:

• Diagnostic imaging systems: ultrasound, MRI, PET, CT scanners, and X ray machines 
• Treatment equipment: infusion pumps, medical lasers, and surgical machinery 
• Life support: ventilators, anesthetic and dialysis machines 
• Medical monitors for oxygen saturation, blood pressure, ECG and EEG, and many, many more. 

The greatest data-security risks for medical devices

Network-attached devices far outnumber implantable ones, but both have one thing in common—a very long life span! No one wants a pacemaker that needs to be replaced every couple of years, and hospitals simply can’t afford to rip and replace their multi-million-dollar investment in x-ray machines, and PET and CT scanners if they still work perfectly. Many current medical devices are 15 or 20 years old already, placed into service when the rest of us were deploying Windows 95 and dial-up modems.

The greatest risk to medical devices, however, is that many lack even the basic security protections that a $200 home PC has - things like antivirus software and a host firewall. The danger is that when a malware worm gets into a hospital and spreads its way laterally across the network to reach highly vulnerable medical devices, it either quickly infects them (many of the newer models run a form of Windows XP), or the malware multicast traffic storm causes the medical device to crash or just stop working. It’s not that someone hacked and changed a parameter - although that is a distinct possibility, but it’s more likely that its battery becomes quickly drained and powers off, or the system blue screens and ceases to provide life-sustaining care.

Understanding the Problem

You can't protect what you don't know about and most hospital systems have very little idea just how many medical devices they have on premise and how many attach to their wired or wireless network and therefore pose the highest risk. Or more importantly, how many of those devices contain PHI and are therefore subject to annual HIPAA Risk Assessment and OCR validation that a risk assessment has been conducted annually.

To manage a problem you first need to understand the problem. Performing an accurate and periodic or ongoing asset inventory is a first step. The difficulty is twofold however: medical devices do not just simply show up in a Windows Explorer or Finder view of the network, nor can they be actively scanned in many cases. Secondly, many devices are powered on as needed for patient care and powered off when not and returned to storage. So understanding exactly how many you have, what each does, and what versions of OS and software each is running, while at the same time trying to avoid double counting is not exactly easy.

What is needed is a way to passively monitor the network to identify typical medical device network traffic along with endpoint IP addresses, VLAN and physical location, and to perform some sort of profiling of devices including the identification and recording of unique device characteristics. Fortunately, there are tools and companies that do this now, so you don't need to reinvent the wheel.

Once an inventory is obtained you can identify potential weaknesses, known threats and vulnerabilities and evaluate probability and likelihood as you would for other IT devices subject to HIPAA Risk Analysis. Once you have identified your highest risk devices, you can set about patching or otherwise remediating risks, or implement compensating security controls till such time as a longer term solution can be implemented or the vulnerable assets retired and replaced. Unfortunately, most medical devices today exhibit some level of risk and older devices may prove to be more secure than newer ones thanks to obscure operating systems or firmware compared to today's COTS (commercial off the shelf) embedded OS versions.

How to reduce risk and protect devices

It’s going to take years to patch or replace the arsenal of insecure medical devices and billions of dollars that healthcare providers simply don’t have. So, we need to look at alternatives to secure them for the rest of their life-spans. This is best accomplished by the use compensating security controls, which doubles as an acceptable audit of risks as far as HIPAA and OCR are concerned.

By far the most effective approach is use of network access control (NAC) using microsegmentation, where medical devices are locked down and secured by the software defined network (SDN) they are attached to. (Attempting to manage 350,000 individual medical devices otherwise in a hospital is near impossible.)

Modern network infrastructure supports security technologies like Cisco TrustSec©, where each network port acts as a virtual firewall. Using security group tags (SGTs), and identity services engine (ISE), network traffic is controlled so that only specifically authorized users - biomedical equipment technicians (or BMETs, as they are known) - have access to reprogram devices, and these systems are only able to communicate with designated internal IP addresses using predetermined ports and protocols. The network will drop everything else, like malware traffic and any connection attempts from unauthorized users. Many of the more advanced healthcare providers have already adopted such an approach, and by employing compensating security controls like ISE and TrustSec have been able to secure their networked medical devices from attack at the click of a button.

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above. 

Read More

CCPL

Richard Staynings presents at the Canadian Conference on Physician Leadership

The challenges faced by Canadian healthcare in protecting the confidentiality, integrity and availability of the health and personal data of Canadian patients is great. But so too is the job of ensuring that healthcare IT systems and other critical infrastructure remains available to treat patients in today's IT-centric health delivery model, where system outages possibly as the result of a cyber attack, can mean life or death for a patient.

This was the subject of a workshop today at the 2017 Canadian Conference on Physician Leadership in Vancouver, BC, where many of Canada's top Physicians and Chief Medical Officers met to discuss many of the challenges and concerns facing the industry.

Participants learned not just about some of the cyber threats and risks being faced by healthcare in Canada and world wide, but also about some of the successes of other health providers to put in place effective, holistic security controls to block attacks and to protect personal health information, clinical research and other intellectual property from compromise.

As the leader of these workshops, I would like to extend my sincere thanks to everyone who attended and contributed to the debate. Canadian healthcare took a giant step forward today in recognizing, not just how much the industry needs to catch up with the better funded banks and other financial institutions, but also in understanding that cybersecurity is a business risk in which clinicians play a critical and leading part in helping to secure vital IT systems from attack.

A copy of the deck presented today can be downloaded here.

Read More

Australian Healthcare Highly at Risk

Just learned that my interview with Nick Whigham at Australia's www.news.co.au has gone viral. The interview which was published last week, talks about the general state of security surrounding the Australian Healthcare industry and is based upon two weeks of workshops and other meetings I ran across the country in November with Senior Healthcare Executives.

The full article can be found here

Read More