Healthcare cybersecurity threats have been under the spotlight this past year, in particular with the rise of COVID-19 and the budgetary and resource strains that has put on hospitals.
Beau Woods, a Cyber Safety Innovation Fellow with the Atlantic Council, founder and CEO of Stratigos Security and a leader with the I Am The Cavalry grassroots initiative, said that hospitals are facing widespread security threats from ransomware to data IP theft.
[Editor’s Note: Threatpost has published an exclusive FREE eBook, sponsored by ZeroNorth. The eBook, “Healthcare Security Woes Balloon in a Covid-Era World”,examines the pandemic’s current and lasting impact on cybersecurity. Get the whole neatly-packaged story and DOWNLOAD the eBook now – on us!]
In this week’s Threatpost video interview, Woods discusses the top security threats facing the healthcare space – and how hospitals can adopt the best security practices to protect themselves.
Below find a lightly-edited transcript of the video interview.
Lindsey O’Donnell Welch: Welcome to another episode of Threatpost Now, I’m Lindsey O’Donnell Welch with Threatpost, and I’m pleased to be joined today by Beau Woods. Beau Woods is a cyber safety innovation fellow with the Atlantic Council, a leader with the I Am The Cavalry grassroots initiative, and founder and CEO of Stratigos Security. Beau, thanks so much for joining me to talk today about healthcare security.
Beau Woods: Thanks. I’m always happy to be here.
LO: Great. Well, you know, you mentioned before you’ve worked in the security space for 15-plus years, and I know you’ve worked a lot with different healthcare companies and initiatives. Can you, just to start, tell us a little bit about your background in security, specifically as it relates to healthcare?
BW: Sure. So I got my start in security actually working for a small hospital system. I spent about three years doing that before going out and doing more consulting broadly, across different industries – financial sector, energy sector, and healthcare and retail as well. And more recently, in 2013, I joined an initiative called I Am The Cavalry, which you mentioned. And the goal there is to assure more trustworthiness of the things we already trust in areas that can impact human life, public safety and healthcare is right up there, of course. In 2016, I led the authoring of a document called the Hippocratic Oath for Connected Medical Devices, which essentially was a translation of the ages-old Hippocratic Oath into a modern era, now that increasingly healthcare delivery is being undertaken by medical devices by electronic healthcare records and other systems that support the physicians. In 2018, I joined the Food and Drug Administration to work on a project to help secure software as a medical device and build a new pathway to market to get reliable, trustworthy software devices, software medical devices on the market. And I’ve worked in and around healthcare for the last several years through other initiatives, like an advisor for a company called Electro Labs. And also I run the device lab for the biohacking village at DEF CON, RSA and other places.
LO: Great. I mean, sounds like you have really seen at all in terms of anything from IoT medical devices, to other different healthcare related issues. Can you talk about some of kind of the biggest security challenges that you’ve seen that’s facing the healthcare space right now?
BW: Yeah, I’d say the predominant issue facing healthcare right now is ransomware. Ransomware continues to be a leading thorn in the side of care delivery, being able to deliver care to patients. ransomware comes in and shuts down clinical operations, it can cause patient care to go on divert, which is where they basically send ambulances to other hospitals, or even cause hospitals to move patients to another facility that’s not impacted by ransomware. Doctors, nurses, clinicians, and hospital administration rely on electronic health record systems, they rely on medical devices, particularly radiology devices – X-Rays, MRIs, those types of things. And ransomware takes this all offline for an hour in some cases, where they can get up and run very quickly, to several weeks, in other cases where they’re down, and they’re not able to treat patients the way that they would be able to ordinarily.
So that’s I think the number one issue that hospitals are facing. And I think right now, a lot of the focus of ransomware is what it’s currently doing, which is good. That’s where we should be looking. What’s ransomware currently capable of, we always have to have an eye on what might ransomware groups do. And these are innovative, business oriented entrepreneurial criminals in most cases. And so they’re always looking for the next thing that’s going to give them the edge of their competitors, allow them to increase their revenue per operation, and other things. And I think that that’s where we start to look at the crossover between ransomware and medical devices – not just the attached supporting infrastructure to the medical devices, like radiology imaging machines, but also looking at some more sophisticated pieces of equipment, or more numerous pieces of equipment. Certainly radiology devices are really important. Electronic health record systems and radiology are largely affected today. In the future, I suspect we’ll see other systems, maybe infusion pumps, network based infusion pumps, or just different types of true medical devices in the hospital, where it could be not just about releasing patient information, not just about shutting down operations, but actually directly causing harm to patients.
LO: Right, right. And to your point about ransomware, I feel like there’s two pieces there. The first is obviously, cybercriminals gaining access to extremely personal sensitive data. But then the second is kind of the human impact there that you talked a little bit about in terms of what the impact is, for patients, or even doctors and I know, the recent cyberattack on I think it was the UVM Health Network led to appointments being delayed, chemotherapy appointments being cancelled, or rescheduled. So it really has that direct impact on patients. And I feel like, that’s really what’s so scary in that space.
BW: Yeah, it is. And, you know, for elective surgeries for elective procedures, you can always do it a different day. Or you can easily go somewhere, even if you have to drive a couple of hours. If it’s more serious for some of these cases. And, I don’t know the specifics of what happened with UVM. But I know in some cases, if a number of healthcare providers are down in a region, then it can delay emergency services, emergency care, for quite a while. And so you start to see things where ambulances might go on divert to something that’s an hour away. And if you have a stroke victim, you have a basically, they call it a “golden hour,” 90 minutes, for doctors to begin treating that patient to get them the type of care they need. And if you don’t get it within that time period, the patient is going to be irrevocably altered – their quality of life, and it may even end up in their life. So those are the types of things that I’m most concerned with much more so than confidentiality leak, which is also important, but it’s less critical to care delivery and to patient safety.
LO: Right, absolutely. And I really feel like we’re starting to see more of those types of situations. I mean, I’m sure they’ve gone on for a while, but there have been several of those incidents that have occurred over the past few years, as well. So that’s a really good point. And also, to your point about some of these medical devices as well. You know, looking at insulin pumps, X-Rays, and I believe it was this week, GE issued a security advisory about radiology devices that had a vulnerability in them. So I feel like that’s another kind of huge issue there, especially with different devices becoming more connected as well, right? I mean, what are you seeing in that field?
BW: Yeah. Well, when there’s software, something is hackable, you add software to it, it becomes hackable. If you’re connecting it, then you’re exposing it to the capabilities that connectivity can bring, but also to the adversaries, and the accidents, the unintended consequences. So as we continue to connect all of our medical devices, for very good reasons, we have to be conscious and wary that adversaries may also get access to them that connected accidents can happen, the wrong data feed can come in, or you can have just a side effect of somebody doing something that they shouldn’t be, that causes one of these systems or devices to fall over. Like a port scan a lot of times will cause some older medical devices to fall over. And many of these pieces of equipment were always threat modeled, to be isolated from the network, to not have any inputs from that. So we’re really changing how those devices were meant to be protected and secured to begin with. I think that as we go forward, medical device makers and others should just be conscious of the requirements from the FDA to get their devices onto the market. The FDA has some pretty strict guidelines and guidance, they call it guidance, but it’s really requirements for getting on to the market. And then once it’s on the market, to have the mechanisms to be able to take reports from security researchers or others so that they can take corrective action as quickly as they need to.
LO: Right and what are you seeing in terms of, with these devices, in terms of patch management and any difficulties there with these manufacturers, I’d imagine it’s a little more difficult to kind of issue updates for these types of devices.
BW: Yeah, patching is never as easy as just clicking a button. Especially in a healthcare environment where you’ve got a lot of moving pieces. When there’s some type of an update or a patch issued by the software maker, it has to go to the medical device maker. They then run it through a barrage of tests to make sure that it doesn’t conflict with anything, or that it doesn’t cause issues, the concept of “first do no harm,” and then it can be rolled out to the healthcare providers. The FDA has said that the FDA does not need to check, once a new update has been issued, that if you wanted the device, the manufacturers can just roll it right out there. So I think that right now, the leaders in medical device security, are doing a great job in issuing prompt updates; the medium tier and the laggards are well, well behind that. And so that’s the role of building a better architecture, so that your medical device doesn’t need to update quite as often. So that if it doesn’t update, that there are things that protect against an adversary gaining access to it. So hardening the devices, isolating, one part of the device connects to the network, from the other part of the device that actually delivers care. And these are some fairly well understood concepts in healthcare that are practiced again, by the leaders in the space, and the others should also adopt them.
LO: Right, definitely. Well, I also wanted to ask about kind of the elephant in the room here, which is the ongoing COVID-19 pandemic, obviously, that’s impacting every market, but especially the healthcare space, in terms of the pressure put on hospitals globally, and the resources and budgets and everything else. So can you talk a little bit about what you’ve seen, in terms of the impact of the pandemic on the healthcare industry, and what new challenges that this creates?
BW: Sure. So the past several months, the global COVID pandemic has caused increased volumes at hospitals. We all know that. The hospitals have been working through that they’ve been figuring out, often building new processes on the fly, over the past few months, to be able to intake and treat patients with the best care possibly available. And in some cases, that is included turning away elective procedures that can be done somewhere else, or at some other time in order to focus on delivering care to COVID patients.
Now, one of the things that’s been very prominent lately in the news, is the vaccine supply chain, and getting necessary vaccines from the manufacturers into patients arms quickly, and with minimal disruption with maximum amount of flow from that supply chain. That’s where efforts that have been undertaken by the pharmaceutical makers, the supply chain logistics providers, like FedEx, and UPS, in some cases, some of the hospitals, some of the intermediaries – those are all critically important right now to get right, to be able to assure that that supply chain isn’t disrupted by nation-state adversaries, who may want to do us harm, by criminals who are looking to profit off of something that is a critical need off of ideological adversaries who just want to hurt people in order to make a point for the broader ideology that they serve. So this is where I think a lot of organizations are throwing their efforts right now, is into securing those supply chains and ensuring that we can get the vaccines safely all the way through so that we can treat the most people, so we can get back to doing the things that we really want to do regardless of the pandemic.
LO: Right, definitely. And I also feel like you mentioned supply chain there was a recent warning and advisory about cybercriminals who were targeting the COVID cold chain, which is, it’s companies that are kind of related to keeping vaccines in normal temperatures and making sure that they’re transported safely. And so I think that’s very applicable in this case scenario as well. When you’re looking at the cybercriminals who are targeting supply chain or cold chain or I guess COVID vaccine research in general, what’s kind of the main motivation there? Is it cyber espionage, is it finance or kind of what are you seeing there?
BW: Yeah, there’s multiple reasons why anyone would want to do anything and no two groups operate identically. So some are trying to do espionage, trying to get a head start on identifying vaccine candidates, or they’re trying to understand what some of the risks or side effects are, maybe trying to steal the manufacturing technology that’s used to create those vaccines. In other cases, you have people who are more financially motivated. So they may recognize that in a critical time of need, if they hold a processing system for ransom, that they could extract a higher cost with a more urgent timeline from those organizations. So there’s also criminal groups looking to use ransomware, or to acquire knowledge that they could use to trade on the stock market, for instance. You have adversaries who were ideological in nature, terrorist groups, for instance, who just want to do harm to Americans’ way of life. And so there might be many reasons why some of these groups do things. It’s not always just criminals. It’s not always just nation states. It’s not always just terrorists. It’s not always just hobbyists, there’s a unique combination of motivations for each group.
LO: Right, definitely. While you know, looking forward, what are some of the best practices or best measures that hospitals can take, especially for CISOs who are working in hospitals that might be juggling these existing budgetary struggles or looking to advocate for security, during these pandemic times?
BW: Yeah, I’d say there’s a handful of things that hospitals can do to really protect themselves, particularly in the pandemic. The first is to know your exposure. So you can use tools like Sensys and Shodan to look at your public IP space. And to see what’s revealed out there. In some cases, researchers have found that critical systems are actually open on the internet, with very little security in between the hospital and a potential adversary. So that’s number one, you know, get things off the internet.
Number two, for the things that must be out there, protect them. Look at some kind of a scanning service to tell you what vulnerabilities may exist in those externally facing systems so that you can then take the appropriate action to patch them, put some kind of other security measure in place as a stop gap, or, you know, ultimately change the risk decision to take them off of the internet or put them behind a VPN, for instance.
Third, I’d say you’d want to look out for malicious software that’s made it into your network through phishing, or some other mechanism like that, right. So a really good tool to do that is your DNS system. So your domain name system that looks up google.com and translates it to an IP address. Often, you can use third parties like CloudFlare, like Quad9, like some of these others, that will filter out known malicious DNS translations. And that will flag when something inside of your organization is trying to reach one of those systems. So that way, you know that there’s a compromised host somewhere and you can start to act on it. So I’d say those are the top three things that I would do on the cyber side in order to protect organizations from malicious attacks, particularly during the pandemic.
LO: Great, well Beau, before we wrap up here, any other kind of trends that you’re looking at, anything else that you’d want to impart in terms of any advice or security tips?
BW: Yeah, I’d say one, good general practice. And it may take a little bit longer than some of the other approaches. But getting a handle on your passwords, putting in place a strong robust password management program, with multi-factor authentication. In hospitals it’s particularly critical that they don’t interfere with the clinical workflow. So if you’re stopping an emergency room doctor from serving patients, you’re defeating the purpose of what you’re trying to do, right. So these things in healthcare, particularly, take a little bit of time to think through and to action. But having a plan for that and starting to implement those as we go is very important for, you know, the next stage of the pandemic or the next pandemic or just the next attack that’s unrelated to a pandemic.
LO: Great, great. Definitely. That’s really good advice. So, Beau, thank you so much for joining me today to talk a little bit about healthcare security and what you’re seeing there.
BW: Thank you.
LO: Great. And once again, this is Lindsey O’Donnell Welch here with Beau Woods. Thank you so much for listening into Threatpost now.