Healthcare's many cybersecurity challenges

Chris Sienko: Okay, hello and welcome to today's addition of the Infosec Institute's weekly video series and podcast. Today we'll be talking to our guest, Lisa Hedges of Gartner about security awareness issues in the healthcare field.

Lisa Hedges is a content analyst at Software Advice, the leading online service for businesses navigating the software selection process. She reports on technology trends and reports on several markets, including medical, accounting, supply chain management, and enterprise resource planning.

Lisa joined the Gartner family in June 2017 after earning her M.A. in English from Mississippi College and her B.A. in education from Ole Miss. Lisa Hedges, thank you for being here today.

Lisa Hedges: Thanks for having me.

Chris: Great. So, let's start with what I think is probably one of the scariest hacking-related headlines currently being reported, which is that we're hearing that hackers and criminals have found ways to implement malware directly into pacemakers, which could cause them to run down the battery or even alter patient's heartbeats.

I know that there are recalls happening, but what else can be done to prevent these types of health-related cyber attacks before they get started?

Lisa: Yeah, that's a really scary thing that we're starting to see in the healthcare world with these standalone medical devices like pacemakers and insulin pumps. It happens because of things like their remote monitoring features or their inability to support encryption or access control, which makes them really vulnerable to these types of really scary attacks.

The recalls are really helpful. That's a way for the product creators to bring it all back and reassess what they're doing in order to make them stronger. Another thing that is going to be really helpful in preventing these kinds of attacks is to make sure that they are updated regularly, that they get those proper firmware updates consistently.

That means making patients aware of how important it is to come in and get those updates done, especially on those devices that they wear out in the world.

With firmware updates that can ... Those types of things affect authorization and that can make it trickier for hackers to gain access, which is the goal. Anything we can do to make it harder for hackers is a win for us.

Chris: Right.

Lisa: That's the thing that I see.

Chris: I mean, I might be getting this completely wrong, but it almost sounds like that the issue is that there's almost not quite enough software, as we go toward the internet of things that the software's a little too simplistic and that it has to be reconfigured for more security access and so forth.

Lisa: I mean, yes, I think that's the trick with any kind of security approach, especially with technology, is hackers are highly motivated and they're changing their strategies all the time, so software creators, and developers, and users have to be constantly vigilant. That's what it's going to take, especially in healthcare where it becomes really serious.

Chris: Yeah, and it's just a constant arms race to add more things.

Lisa: Exactly.

Chris: Along with the pacemaker story, what are the other biggest security emergencies in healthcare right now that need to be addressed that maybe aren't quite as exciting or click worthy?

Lisa: Yeah. Well, that's a good question. One thing that is coming more and more into play is the idea of BYOD, which is bring your own device. That's getting more and more popular because it increases patient engagement.

It's so easy. Just bring your own smart phone and you can do it all from your couch if you want to, which is great in terms of patient engagement, but it's also pretty dangerous in terms of transmitting protected healthcare information in unsecured ways. Also, you've got to worry about training patients on how to use it. That to me is something that I see requiring some attention in the future.

Chris: Hmm. That's interesting, because we hear about BYOD a lot as being a security concern, but you usually think of it in terms of your employees are bringing their tablet, or they're doing work from home on their computer and logging in and stuff. But the magnitude of this is so much larger if your entire set of patients are all trying to access their medical records through your portal.

Lisa: Yeah.

Chris: Speaking to patients' personal health information or PHI, I know that ... I worked for a medical society in the early 2000s and I know that the security risks of storing and accessing, and updating from paper to digital, and proper disposal is one that plagued the healthcare industry for decades. So, what is the current state of PHI security tactics and have things been improving?

Lisa: Well, right now when you think PHI you think HIPAA, that's the big law that protects it, and so really, HIPAA is what basically controls what physicians do, and how they can access the data and how they can use it. That's pretty much what we have to look at in terms of government regulations that protect us.

There's also the new program that was just announced earlier this year, the My Health E-Data, which is encouraging physicians and patients to embrace this idea that patients have as much access as they want or need to their own personal information, but we also have to make sure that it stays secure, which is difficult because ...

I can't think of a really perfect idiom to go for here, but the more people who have access to that information, the more vulnerable it becomes. So, I think the state of PHI is scary.

That may be just my opinion, but I think there's so much that needs to be done in order to make sure it's secure and protected, and the more people who start getting their hands on it, the less gets done to do that.

Chris: Yeah, yeah, and it's such a multi-pronged problem and also the changes are being asked to be done by people who are already so overworked on a daily basis that it's very hard to imagine your hospital staff having time to update all these firmware updates or adapt to these new software challenges and so forth.

Lisa: Yeah, absolutely.

Chris: What are some of the strategies that are being worked right now to keep on top of this?

Lisa: Well, a lot of training, and training is going to be a big theme, because the really important thing in terms of getting employees, hospital employees to follow security protocol is to make them aware of what the threats are.

If they get a security training once a year, just a quick refresher that takes half an hour, that's not cutting it. There's so much and on a daily basis they have to follow best practices and they have to know why they're doing it. So, I think that can be ...

A lot of people are doing it really well. A lot of people need to be doing it better, but for me, the most important thing is just going to be to communicate and collaborate in your team in order to make sure that everybody is aware of the problem, and doing their very best to prevent it.

Chris: Yeah, and then I think that's ... Yeah, I mean, that's the best you can hope for, honestly, but it seems like it's getting done. You go to the doctor, and just in the last couple years it seems like so much more health information is easily available and cross-referenced versus the doctor coming in with a stack of your old paperwork this thick and what have you.

Lisa: Yeah, which is great for patient engagement and it makes things easier. It does make life easier, and then also there are built in features in that kind of software that are meant to make sure everything is safe.

Two-factor authentication is great for physicians and for patients who are using their own devices. Data encryption is a huge one. Those things help and so it's really you have to bring together these built in security features and the best practices for using the devices.

Chris: Yeah, and the benefit of that, too, it seems like especially with older patients who might feel kind of intimidated about asking their doctor to access their old health information. It seemed like such a black box for so many years now, it's very encouraging to hear that you could just pull up what your doctor has written or recommended or whatever and get a better sense of your treatment path.

Lisa: Yeah, absolutely.

Chris: Let's go back one step down the ladder and talk about the current state of the supply chain security issues. We've been hearing, for instance, that medical suppliers, if not sufficiently guarded, that medical supply warehouses could be hacked into or tampered with. What are some of the current defenses, whether online or physical that are being implemented to make sure that stuff like this doesn't happen?

Lisa: Yeah, that's interesting, because a lot of people don't really think about the threat or the vulnerabilities before the devices even get into the medical offices. But what I see is that it's the process of configuring new devices with existing IT infrastructures.

That's when it becomes really vulnerable and that's an opportunity for hackers to attack, because it's connected to the internet and it's not being really monitored. All hackers really need is an internet connection in order to get to an exposed device, so that's a moment during the supply process that I think could use some shoring up in terms of defenses.

But some things, there are, if you're using firewalls, again encrypting your data, which is ... I'm going to say the word "encryption" a lot in this conversation, but that's the big thing.

Then they have threat management, which can help you pay attention and be aware, which will be great. I mean, it's mostly software protections and it's just paying attention to those things and making sure that they're up-to-date and being used.

Then the other thing is you've got to pay attention to the third parties that you're working with, and doing that kind of background research to make sure that the people that you are relying on to provide secure software or devices are trustworthy, aren't vulnerable, have not suffered any attacks, or know how to handle those types of things.

You got to choose your company really well, and that's going to be that personal, the human way of making sure those attacks don't happen.

Chris: Has the internet of things provided either an improvement on these challenges or more of an impediment? Having so much connectivity, has that helped or hindered in any way?

Lisa: Both. It's done both. It's a frustrating answer, but it really has. I mean, by their making everything so much more convenient and better for patients, which improves patient outcomes and they're great, and it's the way of the future, and it's progress, it also means that we have to progress how we defend it as well. It's a double-edged sword, I would guess.

Chris: Yeah. Going back to, we discussed a little bit about security awareness education, but what is the role in your mind of security awareness education versus more process-driven security tactics? Do you have a best practices for educating medical staff, educating patients, anything that you've found that is especially helpful in that regard versus firewalls and encryptions, or hand-in-hand with them, I suppose?

Lisa: Yeah, that's tough. Both. I think my opinion of the role of the education versus the security tactics themselves is that they are hand-in-hand and if you separate them you are just asking for failure. You have to make sure that everybody on the team knows what's going on, knows why it matters, and then knows what to do.

That means getting the IT team and the nursing staff in the same room so that everybody can get on the same page and it doesn't become an us and them or the IT guys versus the medical staff. It can't be that, because you're all on the same team. You're doing different jobs, but you know everything you do depends on the hospital or the practice being successful and not suffering any setbacks.

So, you've got to work together, which may be more of a vague answer than you were hoping for, but really what I've seen is that you've just got to get them in the same room.

Chris: Yeah. One of our services that we have is called Security IQ and it allows users to send out fake phishing emails to their staff or their friends or family, or whatever. It's totally safe. Then if they fall for it then you watch a small educational video.

But just jumping into that, what I was going to say is that one of the things that we've found especially useful is not just as you say getting everyone into the room and saying we're all on the same team, but also repeated exposure to this. And you said it before, not just a once a year security training half hour and then we're done.

Everyone can fall for it, but also if you're thinking about it because it happened two weeks ago or whatever, it seems like it keeps people more aware as well.

Lisa: Definitely, and the idea of practicing, too, I really love that, that you get to experience what it would be like in a low stakes situation where there's actually no real threat. I think that's genius and yeah, I think the more that people are exposed to it the better.

Chris: Turning to the more, again, very exciting but scary side of the news here, on Infosec Resources we covered last year several stories of hospitals that had been hit by ransomware, including the famous WannaCry hack. Now, has the healthcare industry as a whole made adjustments to prevent future similar attacks, or is ransomware still a persistent threat?

Lisa: Yes, there have been some attempts made to protect against those types of attacks, but also bigger, yes, ransomware is still a huge threat in the healthcare industry. Things like WannaCry and SamSam really illustrate what you have to do and how vigilant you have to be.

Some of the things people are doing right now to protect against those types of attacks are backing up data backups and making sure that they have everything stored and secure so that they can access it, which is ...

Actually, there was a recent attack, fairly recent attack on Blue Springs, a medical practice called Blue Springs, and hackers gained access to, it was nearly 45,000 patients, something like that. A massive amount of patients and they had access to it.

Blue Springs had all that data backed up and so they were able to just recreate the system based on what they had. They weren't forced to pay the ransom in order to recover access, which is by the way, what the HHS is recommending.

They don't really want healthcare providers to give in to these ransom attacks, which it's sort of a non-negotiation policy, which is great. It has the goal of discouraging future attackers if they find that they can't get anything out of doing it. But it's also still scary.

There's also still the concern of hospitals who are faced with the decision to either pay off attackers and do damage control now, which is you got to be honest, really tempting, or sticking to their guns and preventing future attacks and doing, I guess future damage control for the greater good. That's a hard decision to ask healthcare providers to make and it's what they're facing.

Chris: With regards to the ransomware attacks, I know that the general demand is "or else we delete all of the privacy data." You're countermanding that by having the backups, but has there been any examples of, "If you don't pay, we release the personal data out into the world" or something like that? That seems like that would up the stakes significantly.

Lisa: Yeah, absolutely. I-

Chris: Is there any way around that?

Lisa: Yeah, I'm not aware of any of those types of threats, although, I mean, it seems like the next logical step if you're thinking from a hacker's perspective. "If you don't give me what I want, I'll do this. If that's not a big enough motivator for you, I'll do this worse thing."

That's part of what makes it really hard not to give in to ransomware. To be honest with you, I'm not sure what would be done in those situations. I mean, it's ... Yeah, I don't know what I’d do either.

Chris: Well, jumping onto that, so what are ... Along with hacked pacemakers and supply chain issues, and ransomware, what are ... I feel like I'm giving our listeners 10 new reasons to be terrified, but what are some of the challenges on the horizon that security awareness experts are preparing for in healthcare?

Lisa: So those, BYOD is, I think, one thing that we're really getting ready, we're gearing up to figure out how to secure everybody's devices, which is going to be, honestly, a pretty major challenge, but a necessary one, I think. And, just educating patients on when it's okay to use this app or how to protect yourself, that kind of stuff.

Patient engagement is such a buzzword these days and it refers to getting patients involved with their own healthcare and treatment, but we're also going to need to start getting them involved with protecting their information. I see that as the next step, personally.

Chris: Narrowing it down to an individual ... I'm thinking in terms of a doctor's office or even hospital staff. What's one thing that healthcare providers or employees can change in their daily office routine to make things safer? I mean, you can hire security experts, you can do this, but what's one thing you could change today?

Lisa: Training.

Chris: Training?

Lisa: I mean, getting people involved and like you said, being constantly exposed to the dangers and aware of. That would be, especially in small practices, just because you think about the tiny, the doc-in-a-box in a small town in Minnesota. They're not necessarily hyper aware of all of these cyber threats, so doing the work to make them aware is going to be the one huge thing.

Chris: And on that note I think we're going to wrap it up today. Thank you very much, Lisa Hedges, for being with me today, and-

Lisa: Thank you.

Chris: Oh, sorry. Thank you all for listening and watching. You can find more of these videos on our YouTube page. Just go to YouTube and type in "Infosec Institute", I-N-F-O-S-E-C, and you'll find our page with lots and lots of videos for you to watch.

If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search for "Cyber Speak with Infosec Institute" on Apple podcasts, Ditcher, or wherever you get your podcasts, and if you'd like to read more about security awareness topics, and especially security awareness in healthcare, there's an entire section just based on healthcare topics.

Please visit resources.infosecinstitute.com for thousands of articles, labs, videos, and more. Thanks again to Lisa Hedges and thank you all for watching and listening. We'll talk to you next week.