The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Showing posts with label HIoT. Show all posts
Showing posts with label HIoT. Show all posts

Medical Wearables and HIoT

Patient Safety in the era of medical wearables and Healthcare IoT: Is new technology helping us to stay healthy or introducing risks?


“medical
Medical Wearables.



Most of us now wear some form of fitness tracker and many hospitals and insurers are utilizing this 'personal health data' to supplement 'provider data' in our overall healthcare management. The volumes of healthcare data on each of us is staggering and is critical for our health management and overall well-being as patients. But what happens when that data is compromised, changed or deleted?

Like it or not healthcare delivery is more reliant upon technology today than ever before to diagnose, treat, observe, manage and monitor patients. A basic systems outage is enough to bring an entire hospital or clinic to its knees. Just look at what happened in the UK when Ransomware took down much of the NHS.

But our technology reliance is not just focused on IT systems any longer, there are a multitude of different Healthcare Internet of Things (HIoT) devices that we use to improve patient outcomes. All kinds of medical devices, from IMDs, to network connected pumps and scanners, to patient and nurse call systems, all of which are critical in direct patient care. And let’s not forget, that we cannot do without HVAC systems, elevators, power, water and other hospital building management systems, nearly all of which are now ‘smart’ and ‘connected’, often managed by business partners from thousands of kilometers away via the Internet.

What happens when these simple devices are attacked by extortionists and cyber-criminals? Does anyone even know how many HIoT devices are connected at each location, let alone when they were last patched and what security risks they pose to patients and to hospital IT systems? Just because they may be connected to an isolated network or VLAN doesn’t mean they are enclaved or segmented as far as security is concerned.

How can we gain greater visibility into what’s happening in our hospitals and become better prepared to defend ourselves from the next inevitable attack?

This was the subject of a recent presentation by the author to the HIMSS Australia Digital Health Summit in Sydney, NSW attended by many of the top thought leaders from across Australia, New Zealand and much of Asia.

“Richard
The Author addresses the HIMSS Australia Digital Health Summit in Sydney. Photo: HIMSS


Medical wearables could prove to be a valuable asset in the fight to prevent on the onset of disease. Diseases that by and large, are very expensive to treat. Primary care physicians have been urging us all for years for better preventative care, yet in many countries there is still a financial disincentive to go see the doctor or a specialist. In the United States where High Deductible Health Insurance pushes patients away from seeing their care team till they have met their often massive deductible before receiving any benefits, and in the developing world where the choice is sometimes to see the doctor or feed the family for a week. A trip to the doctor is also considered as being inconvenient and time consuming by many - even when there is no charge. What better then, than to automate the monitoring and well-being of patients using simple ubiquitous tools like an Apple Watch, or a Fitbit, something that avoids having to go see the doctor and actively engages patients in their own well-being.

An Apple A Day Keeps the Doctor Away

An old adage claims “an apple a day keeps the doctor away”. It may originate from the days of scurvy and a general lack of fruits and vegetables in people's diet, but maybe there is some truth to the saying in today's hi-tech healthcare world.

Can an Apple on your wrist keep the doctor away?

A recent HIMSS survey claimed that 64% of surveyed patients might be more willing to wear an Apple Watch or a medical wearable if it means fewer trips to see the doctor.

A similar survey of hospital executives from HIMSS and AT&T found 47% of hospitals are providing wearables to patients with chronic diseases and are also conducting remote monitoring via in-home medical devices and smartphone apps.

Is this the future of regular health observation and maintenance? My Apple Watch already reminds me to get up and walk about several times a day when I have been busy sat typing or in meetings. Will future versions also tell me to cut down on my carbohydrate intake and to look for a less stressful job based upon my diet, activity levels, and heart rate?

The big question is, to what extent can consumer healthcare data be trusted as being accurate and not fudged to reduce health insurance premiums, and what should our health systems do to integrate that data into our medical record?

“My
Australia's My Health Record.


In Australia the existing My Health Record (MHR) initiative will see the roll-out of new functionality in 2020 for apps to connect into the MHR. Australians already have the ability to view their complete medical record (unlike most other countries) so the hope is that this should be the primary place where Aussies go to check their healthcare activity and well-being. Its precisely this type of public-private partnership that will lead to improved patient outcomes and reduced spending on chronic diseases, or so its authors claim with some justification.

Consumer wearables like Apple Watches and Fitbits are just some of a huge wave of Healthcare Internet of Things (HIoT) devices that are being used to monitor, manage, diagnose and treat patients. In all but the smallest critical access hospitals, HIoT devices already well-outnumber traditional IT computers and other systems. The challenge for the industry is how to manage and secure such a broad range of fairly dumb devices at a time when the healthcare industry is under an increasing number of cyber attacks.



How should Healthcare Executives go about securing their HIoT?

Managing traditional HIT assets like servers, laptops and workstations is a touch job in a healthcare environment because of a lack of standardization and the need to run so many different versions of operating systems and legacy applications. Trying to manage hundreds of thousands of discrete HIoT devices is near impossible without the right tools. The first problem is that most healthcare providers have no idea how many devices they own, rent, or have connected to their networks, nor the risks that each of them poses to patient safety or other network assets like the EMR, so this is where we need to start.

The following workflow may be useful as a guide:

  • Identify Assets – Most hospitals don’t know what they have!
  • Risk Assess those HIoT Assets to NIST 800-30 or similar standards for compliance
  •      Identify CVEs and Zero-Days, any known patches and apply
  •      Beat up vendors for patches – some are better than others. Some are outright negligent. 
  •      With hundreds of thousands of devices you will never be able to regularly patch them all!
  • Identify and Map Legitimate Traffic Patterns – Ports, Protocols, IPs, etc.
  • Construct a 'Zero Trust' white list of usual traffic patterns so that anomalous activities can be flagged and investigated or blocked
  • Implement Micro-Segmentation as a compensating security control to protect patients and networks against devices that cannot be secured. Employ the Zero Trust white list to construct your NAC's Security Group Tags (SGTs) to automate protection.


What tools should you consider?

The good news is that this exercise is no longer a daunting labor-intensive manual process. There are first and second generation tools now available that can do this for you with varying levels of automation. Second generation tools like Cylera MedCommand, make extensive use of AI and ML to more thoroughly risk assess devices and seamlessly integrate to your existing asset management, GRC, SIEM and NAC technologies. Through a combination of passive and active security controls you can safely monitor and log traffic till you feel confident to turn your NAC to '
'active' or 'blocking' mode without having to worry that you may inadvertently isolate a device.



“Cylera
Cylera MedCommand.



'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.

The solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare.

Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management at https://www.cylera.com.



Singapore eHealth - Innovative Technologies and Security


The Author addresses the Singapore eHealth Summit. Photo: Dean Koh

Singapore faces many of the same problems affecting patient care in Europe and North America; an aging population, rising demand and increasing costs. The need to implement more value-driven initiatives to increase efficiency and improve patient outcomes will become critical here in Singapore just as it is in other countries with declining populations or unsustainable rising healthcare costs. This includes the need for wider mainstream adoption of new and disruptive technologies like data analytics, machine learning and artificial intelligence, combined with highly innovative procedures to accurately identify, diagnose and treat patients.

The recent Singapore eHealth and Health 2.0 summit was unique in that it brought together some of the best minds and best ideas from all over the world under one roof, to showcase a plethora of quality treatment ideas and disruptive emerging technologies which promise to revolutionize the healthcare industry.

As with the adoption of any new technologies, there are risks which must first be evaluated before a technology can be introduced, and in healthcare, increasingly these risks focus upon cybersecurity.

In Singapore, which suffered its largest ever breach last year with the theft of 1.5m SingHealth patient identities along with the prescription records of its Prime Minister and other V.I.P.s, security is of particular concern. Several smaller healthcare breaches this year including publication of the personal details of over 800,000 blood donors, and the exposure of 14,200 HIV patient records has compounded the need for the industry to get security right.

Confidentiality, Integrity and Availability

The ASEAN region, according to CIO Magazine, with its dynamic position as one of the fastest growing digital economies in the world has become a prime target for cyber-attacks, accounting for 35.9% of all cyber attacks globally in 2017. The targeted attack against SingHealth is perhaps a wake-up call for the region to do a better job of securing Confidentiality, Integrity and Availability (CIA) its healthcare and other critical services.

But the risks impacting healthcare are way more nefarious than just the disclosure of confidential patient information. Far more worrying is the threat to the INTEGRITY of health records and other clinical data, and the AVAILABILITY of HIT systems needed to treat patients.
  • What happens when a patient's blood type, allergies or past treatment records are altered by a hacker?
  • What happens when a ransomware attack locks up all Health IT systems as it did to many hospitals in the British NHS with the WannaCry attack? 

Patient Care suffers and Patient Safety is placed at risk

The growth of medical devices and other Healthcare IoT (HIoT) is prolific and already outnumbers traditional computing systems. Compound growth in medical devices has reached 20% per year by some estimates. Furthermore, most are connected now to hospital networks and talk directly to core HIT systems like the Electronic Health Record. Hackers know this and have used the fact that HIoT systems are by and large unprotected against cyber-attack to launch their infiltration campaigns.




Many legacy medical devices can only connect to hospital WiFi using insure WEP encryption, which means any teenager with the right tools could gain access to core systems in most unsegmented healthcare networks with little more than a SmartPhone from a hospital waiting room.

Medical devices and other HIoT systems now pose the single greatest risk to patient safety according to many in the industry because of their lack of inherent security, inability to be patched or secured with AV or a host firewall as even a Windows PC can. What is more worrying is not that these devices are incredibly easy to hack or topple over, but the fact that they are most often connected to patients at the time providing critical life-sustaining care or telemetry.

On-stage demonstrations at security conferences like DefCon, Black Hat, and KiwiCon often feature the hacking of some sort of medical device that if connected to a real patient, would undoubtedly result in that patients death. Yet, the US FDA, Australia TGA, UK MHRA, and EU EMA, device manufacturers, and hospitals all downplay the risks, knowing that devices have a 15 to 20 year lifespan and few if any, are ever updated with security patches once sold.

The fact of the matter is that we have almost no idea if, and how many patients have died as a result of a medical device being hacked. No one currently is required to forensically investigate a failed medical device. Instead when is device is suspected of failing, all data is wiped to comply with HIPAA, GDPR, SPA, and other privacy rules and the device is shipped back to the manufacturer to be re-imaged, tested and put back into circulation. This is a subject I have written about in the past and one perhaps best demonstrated by Doctors Christian Dameff, MD and Jeff Tully, MD from the University of California Health System, in their realistic yet alarming presentation at the RSA Conference last year.

The need to better understand and evaluate risk in this growing sector of healthcare has reached a tipping point, as OCR in the United States and the TGA in Australia, starts to ask questions about risk analysis of these devices many of which are covered under the HIPAA Security Rule and the APA. However healthcare IT and Security teams face several daunting challenges before they can mitigate security risks and chase compliance.

1. In most hospitals, medical devices are owned and managed by Bio-Medical or Clinical Engineering, while other groups also outside of IT, manage building management and other hospital IoT systems. Consequently, there is limited security visibility, if any at all!

2. An accurate inventory of what HIoT assets are connected to the network is almost impossible to accomplish manually as devices change all the time and manual spreadsheets and traditional IT asset management systems have proven inaccurate.

3. Evaluating the risks of medical devices is difficult since most are connected to patients and cannot be scanned with normal security tools. Larger equipment like X-Ray machines, MRI, CT and PET scanners are in use 24/7 and cannot usually be taken out of service for regular security scans.

4. Inherent weaknesses in some HIoT protocols like DICOM allows a malicious actor to embed weaponized malware into a legitimate image file without detection, as researchers at Cylera Labs discovered recently.

5. Lack of internal network security allows a hacker to intercept and change a PACS image with false information during transmission between a CT scanner and its PACS workstation, adding a tumor to an image or removing one as security researchers at Ben Gurion University recently discovered.





Fortunately, new AI security tools from Cylera, created especially with healthcare in mind, are able to automate the entire risk management process to identify, profile, assess, remediate and manage HIoT assets in line with NIST SP800-30 standards. Just as healthcare delivery is moving towards disruptive innovative technologies, so are the security risk management tools being used to support the adoption of new technologies and new procedures.

Cylera’s 'MedCommand' solution, empowers healthcare providers to protect the safety of their patients, assets, and clinical workflows from cyber-attacks. 'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT,
and operational technology.



The 'MedCommand' solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop the most comprehensive and integrated HIoT security solution for healthcare.

Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact us to schedule a conversation.

This blog was originally published here.


HIoT and Third Party Vendor Risk



The rising number of non-IT devices plugged in, or connected wirelessly, to hospital networks far overshadows the number of PCs, laptops and workstations in most facilities. What is more, most of these IoT devices have no security protections and cannot easily be patched. Medical devices are growing at 20% per annum and are often owned and managed outside of hospital IT and Security teams. No wonder then, that hospital CEOs are becoming concerned at the patient safety ramifications of one of these devices being compromised by a malicious hacker.

Widespread automation and cost cutting across hospitals is leading to a rising trend of the outsourcing of hospital building management systems (BMS). This includes everything from electrical and water distribution to elevators and HVAC. Most of these outsource agreements are with companies from many miles away – often out of State, or out of Country, who manage systems remotely via a virtual private network (VPN). Usually governed by weak or incomplete third-party contracts which are rarely audited, these agreements extend the hospital attack surface into the outsource company complete with all of their security vulnerabilities. Scholars of prior cybersecurity attacks will be quick to point out the parallels here between Target Stores and its HVAC services provider Fazio Mechanical, which resulted in one of the largest cyber-thefts of credit card numbers as well as most of Target’s customer information. The breach cost Target millions in compensation, restitution and credit monitoring, as well as the jobs of everyone in leadership and two class action lawsuits.

The repercussions of third-party vendor breach in healthcare could however, be far more nefarious and impactful given what is connected to the typical hospital network. That is, unless networks are properly and securely segmented to isolate hospital building management systems, operational technology, medical devices, and business IT systems. However very few hospitals have so far even started to securely segment their large flat networks in order to isolate the really risky endpoints.

The need to evaluate third party risk is critical

The need therefore to evaluate third party risk is critical, yet most hospitals currently don’t do this well if at all. With thousands of suppliers, vendors, contractors and consultants in each hospital, manual assessment is simply too much to handle with the current number of security and compliance staff.

As healthcare leaders continue to monitor and evaluate what is meant by patient safety in their operations, it’s clear that today, patient safety means so much more than just avoiding medical errors or someone slipping on a freshly mopped hospital floor.

The author addresses these and other subjects at the South Dakota HIMSS annual Conference today 
in Sioux Falls, SD.