Last month I spoke about ransomware in my blog regarding patient data security. Ransomware is a particularly nasty malware variant where malicious code gets launched into a network and encrypts critical data. Then someone, somewhere requests ransom in return for the decryption key.
For healthcare IT, this is an increasingly important problem. I’ve never been in this situation, but many of my healthcare IT friends have. While none of them have ever paid the ransom (we have to make a stance, after all!), they’ve spent inordinate amounts of time and resources identifying these viruses, eradicating them, and manually restoring the encrypted data.
Hospitals are Too Easy to Hack
As if this version of ransomware isn’t challenging enough, the scenarios are getting worse. According to Predictions 2016: Cybersecurity Swings to Prevention from Forrester, ransomware is now moving to Internet-connected medical devices. Hackers are finding their way into pacemakers, medical monitors, and other care-critical devices which puts patients’ well-being directly at risk. Critical care patients should be focused on getting well, not a cyber attacker holding their life for ransom.
This isn’t a far-off threat coming down the road sometime in the future. The threat is here and now according to a recent Bloomberg article appropriately titled “It’s Way Too Easy to Hack the Hospital.”
The article reports that:
“Last fall analysts with TrapX Security, a firm based in San Mateo, Calif., began installing software in more than 60 hospitals to trace medical device hacks. TrapX created virtual replicas of specific medical devices and installed them as though they were online and running . . . After six months, TrapX concluded that all of the hospitals contained medical devices that had been infected by malware.”
Healthcare Hackers – Goin’ Phishing
How, exactly, are these devices getting infected? As the Bloomberg article goes on to say:
“In several cases, the hackers ‘spear phished’ hospital staffers, luring them into opening e-mails that appeared to come from senders they knew, which infected hospital computers when they fell for the bait.”
Phishing! A particularly vexing problem driven by human behavior – and who’s going to change that any time soon? In another blog, I reported on findings from the 2013-2014 Security Deployment Trends Survey which indicated that 80% of corporate security professionals and IT administrators cited “end-user carelessness” as the biggest security threat to their organizations.
I think many of the respondents had phishing attacks in mind when answering this particular question. In a healthcare setting, however, I would change “end-user carelessness” to “end-user busy-ness”. Who can blame a busy clinician zipping through emails if they accidently click on something they shouldn’t have? An IT security strategy that depends on clinician vigilance is no strategy at all.
Context Aware Security that’s Proven
At RES, we don’t have all the answers to phishing attacks, ransomware and security. What we do have is proven experience with many customers using our context-aware security controls to reduce the spread of such attacks.
These customers use RES to reduce security vulnerabilities by ensuring that clinicians and other users only have access to the right apps, data and services based on their context including their role, location, device, time of day, and more. So when clinicians use their devices on public Wi-Fi, let’s say at lunch time for example, they would no longer have access to that EMR system they were using only moments before at a patient’s bedside.
Next, our customers use tools such as whitelisting to ensure that only approved applications and services are accessed. With whitelisting IT can set rules, in advance, for what kind of apps and services are allowed to execute when clicked. This can dramatically diminish the effectiveness of phishing attacks. We’ve had customers who were midway through deploying RES when they were hit by such attacks. The legacy systems that had not yet been upgraded to RES were infected, but the RES-based systems never felt a thing.
There are plenty of other security benefits to highlight, which you can find here. I highly recommend you check them out. For this blog I would just like to wrap up by saying that despite the many scary headlines of the risks of healthcare security, with RES there are definitely steps that you can take to ensure the security of patient data. Our customers have proven this to be true.
Also, if you’re coming to HiMSS16 this year (I hear Peyton Manning is delivering the closing keynote), join Phil Alexander, the Information Security Officer from UMC Health System, and me in our session on a 3-prong approach to security that UMC uses to stay ahead of hackers and keep patient data safe. Would love to see you there.