If you asked someone with 20 years of healthcare security to name the top challenges facing the industry today, what do you think they’d say?
Would they cite the latest vulnerability? Lament the lack of user education? Decry the portfolio of complicated tools firing noising alerts?
Perhaps, but there’s one challenge that’s common to all of these and it’s financial. That’s according to Steve Swansbrough, who has 22 years in the field and most recently focused on protecting the network of a Fortune 10 healthcare company.
We recently had the good fortune of hosting Steve for a webinar addressing cybersecurity challenges in healthcare, including intrusion detection. The webinar was such a success, that we asked him to sit down with us for an interview to dive into some of the points of interest to the community.
Read on to learn Steve’s compelling take on the state of cybersecurity in healthcare.
1) How would you characterize the state of cybersecurity in healthcare?
SS: The state of cybersecurity today in healthcare is somewhere in the middle and has room for improvement. It’s not getting better yet, it could potentially get worse. If the industry has a new ransomware type of attack, or Meltdown/Spectre type vulnerability, things could go south quickly.
In healthcare security, the critical tasks are protecting personally identifiable information (PII), protected health information (PHI), and ensuring we have proper visibility of, and options to mitigate, emerging threats.
It’s not just zero-day threats we’re worried about because ransomware is a big concern. It’s been about two years since Hollywood Presbyterian Medical Center paid the first ransom to release data that was locked up. This sparked a flood of bad actors going after some of the easier targets in the healthcare industry.
It used to be that no one paid attention to healthcare – there was no point. However, with the advent of Bitcoin, and the fact that healthcare is a soft target, especially hospitals, this is growing and poised to grow more.
2) Why are hospitals soft cyber targets?
SS: It’s because hospital budgets do not have line items for security products. Hospitals are in the business of healing people and saving lives, and most of their budget goes to those resources: doctors, nurses and technicians – and often expensive multimillion-dollar medical devices they need to do their important work.
As such, they don’t have a lot of money to shift towards security. In many cases, they don’t have the right technical talent to do some of the basics, like segmenting their core protected patient data or medical systems from general internet access.
Like many businesses, hospitals offer free guest Wi-Fi as a service to their patients, and then they quickly discover the risk of not segmenting or securing guest and internal wireless networks. Anybody that knows what they’re doing could possibly leverage this as a way into the more critical infrastructure or the network environment at that hospital.
3) There’s some research that found 20% of healthcare organizations across the US and UK are still running Windows XP. This supports the notion that healthcare organizations are running legacy systems which are vulnerable. Do you think that’s true?
SS: I think it’s a contributing factor. The lack of support from Microsoft now with Windows XP and Server 2003, leaves a lot of vulnerabilities on the table. Many businesses assume you’ve moved on to something that is supported, but if they haven’t, then that means they aren’t getting the patches and upgrades to stay safe and reduce risk. This means it’s easy for bad actors to use both known and emerging vulnerabilities to get into that network.
Missed the health care security webinar with Steve?
Never fear, here’s a link to the recording:
Solving the IDPS Challenges in Enterprise Healthcare
4) Why don’t hospitals and healthcare organizations just upgrade their equipment?
SS: They lack the funding. Remember, most of their funding goes to life-saving resources. In addition, the state hospitals and university systems are government funded and that comes with inherent budget limitations (although private hospitals face similar constraints).
There are also a lot of people that don’t have health insurance, and that complicates things. This is because the insurance gap forces hospitals to take millions of dollars in write-offs each year. That is all potential money that could have been put towards upgrades and security infrastructure improvements.
When we take all these things together, it creates a financial gap. Hospitals and their boards of directors have to find areas where they can cut costs to keep the doors open so they can continue treating patients. Unfortunately, in many cases, what ends up being cut is the security budget. That’s how you end up with these systems like Windows XP that are outdated, unsupported, and vulnerable.
There’s another challenge here from a functionality standpoint. From the perspective of providers, staff and medical device manufacturers that use the XP (or other older Windows operating systems) platforms to access or run their tools – this software still works so why change it?
It’s really hard to get non-technical people to understand the risks of not keeping your systems up-to-date from a security perspective. It’s hard to convince them you stand the chance of being the next target, and it’s going cost your organization hundreds of thousands, if not more, in a breach.
5) How can security professionals go about convincing business leaders in healthcare to do more to shore-up cybersecurity?
SS: The key is getting the business to understand the risks, and I don’t mean using fear tactics. Fear tactics – telling them about scary trends, statistics and anecdotal examples – is only effective in the short-term. People grow numb to it.
What you have to do is present this in a risk mitigation and risk acceptance format. For example, you’ve got to demonstrate that you’ve done an assessment or penetration test on the network, and then list all the vulnerabilities you found. It’s very different when you show the business how an experienced hacker can gain access to the systems in five minutes and have root access to servers within 10.
At this point, it’s not a general threat anymore, but a tangible and specific example. This approach will get a lot of people listening, but you can’t stop there – you have to show them how bad actors can gain access to imaging devices and medical equipment and can shut them down. Or that you gained access to tens of thousands of electronic medical records and could have encrypted the data for ransom or sold it on the black market.
You have to make these examples personal, and not use generic statistics. It’s essentially like showing them: ‘Hey, you left the front door open to your house, and I walked in, and I started poking around. And because you have no further locks or preventative measures in your house, I found jewelry laying out, I found money laying out, I found thousands of dollars in technology and equipment that I could’ve loaded into my truck and took off with because you thought everything was fine just because you locked your front doors. The fact is, I happened to find the one day you didn’t lock your door, and I got in.’
6) Given all of the challenges we’ve discussed – legacy infrastructure, ransomware, budgets – what would you say are the top challenges facing healthcare with regard to security?
SS: The biggest challenge is finance and the detrimental effects of fraud. Security budgets are flat to declining, which means healthcare security has to maintain an existing portfolio of tools to defend against many new threats. In some cases, you might even have to cut back on the number of tools at your disposal.
This creates risk because you don’t have the budget to invest in new defenses as threats evolve. You can talk about all the different risks, bad guys, and the new tips, tactics, and techniques that they’re using, but if you don’t have any way to mitigate any of this; without a checkbook, you’re dead in the water.
I think this is as big an issue in healthcare cybersecurity as any other cyberthreat out there, including malware and ransomware. However, you cannot continually buy additional security tools for every new threat that comes out in cyberspace. At some point, the business has to ask “When are enough security tools – enough?” Companies cannot continue to procure new tools at the rate that has been occurring over the past four years or so.
Fraud is a budget siphon to cybersecurity. Fraud is a part of doing business and companies are always trying to fight the new threats stemming from fraud. While some companies try to combat fraud by buying new security tools, some companies lack the additional budget funding due to the losses that fraud takes away in their bottom lines.
Ransomware is probably next on the list of top challenges and most of it stems from someone clicking on a link or opening a file in an email. I see weekly reports from different companies, all over the world, and assuming they’ve followed the rules and reported a breach properly, it’s almost always traced back to a link or file in an email.
That sets off the sequence of events – a machine downloads ransomware and depending on the variant of ransomware, it tries to install additional copies of itself across the network. The goal is to encrypt your system(s) or destroy your data unless you pay the requested ransom in the specified amount of time.
The third largest threat – which affects every industry, not just healthcare – is the vulnerability around Meltdown or Spectre. This is because so many people have Intel chips on their machines. I don’t think this is going away anytime soon and given it’s fairly easy to use email to gain access to a machine, this is a much scarier prospect in the grand scheme of things. It is also showing itself to be rather difficult to remediate via patching.
7) Some of the people behind these healthcare ransomware attacks, seem to be really good at pricing, where even businesses with backup systems find it just easier to pay the ransom. What’s your take on that?
I have a strong suspicion that a lot of these attackers with this particular form of attack are newbies. There are so many utilities you can leverage to deploy a ransomware attack, and healthcare has traditionally had such weak defenses, that the people that get in weren’t the big-time hackers.
This is going to change for several reasons. One is that the value of cryptocurrency is rising, so what was a modest dollar amount in Bitcoin ransom a couple of years ago, is much more expensive today. At the same time, some of these attackers have established helpdesks to process Bitcoin payments and pay ransoms – some of them have better customer service than legitimate companies. This is all going to attract more sophisticated attackers.
So, while some organizations have paid ransoms because it seems easier, on the whole, I think it’s a bad idea. There is no guarantee that the bad guys won’t try to hit you again tomorrow or next week and you’re right back in the same situation. Only about 50% of companies that pay their Ransom actually get their data back. Remember – you are dealing with criminals. When you get the core of the issue, I suspect these organizations usually pay the ransom, not because it’s easier, but because they don’t have a comprehensive backup system or disaster recovery plan. When you’re being held for ransom and your systems are down for a week, paying the ransom looks like your only way out.
However, you should already have a resilient IT environment. What if the system caught on fire or was lost in an earthquake? You wouldn’t have been able to write a check to a bad guy to decrypt data, and your business would be in trouble. Hospitals have learned from this over the last two years and are making progress but have a way to go still.
8) What do you think healthcare needs from the security vendor community?
It’s almost cliché to say this, but there’s such a large market in healthcare, and yet there’s a real need for an all-in-one type security tool. The vendor community could offer it to a medium-sized hospital, with the promise that if placed inside a network they’d have the visibility and ability to block or detect these threats.
This would need to be like a Swiss army knife, where security could integrate vulnerability scanning, recording, and other important aspects of defense. You have to be able to deploy and manage this solution with just a couple of people to oversee the tool while providing the additional control and protection they need.
The price point is a big factor too because the board of directors is weighing the cost of security technology against the cost of a $200,000 payment in Bitcoin. If the risk to pay the ransom is based on an annual rate of occurrence, current trends, and organizational efforts to educate the user, perhaps the chances of occurrence are only once every two years, they are going to be disinclined to invest.
I think we are hitting that cross-road in security – how much investment in security is enough?
* * *
The webinar Steve was recorded and is available for review on demand with registration: Solving the IDPS Challenges in Enterprise Healthcare
If you enjoyed this post, you might also like:
Threat Hunting is an Imperative Despite Challenges in Definitions, Data and Skills